Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TM-756 updating lambda.tf file to provision s3 bucket with db scripts… #8866

Merged
merged 14 commits into from
Dec 4, 2024
Merged

TM-756 updating lambda.tf file to provision s3 bucket with db scripts… #8866

merged 14 commits into from
Dec 4, 2024

Conversation

mnasr-moj
Copy link
Contributor

… instead of zipfiles directory

@mnasr-moj mnasr-moj requested review from a team as code owners November 28, 2024 12:50
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Nov 28, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-11-28T12:52:57Z INFO [vulndb] Need to update DB
2024-11-28T12:52:57Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T12:52:57Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T12:53:00Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T12:53:00Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T12:53:00Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T12:53:00Z INFO [misconfig] Need to update the built-in checks
2024-11-28T12:53:00Z INFO [misconfig] Downloading the built-in checks...
2024-11-28T12:53:00Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 906.318µs, allowed: 44000/minute\n\n"
2024-11-28T12:53:00Z INFO [secret] Secret scanning is enabled
2024-11-28T12:53:00Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T12:53:00Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T12:53:01Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T12:53:01Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T12:53:01Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:53:01Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:53:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T12:53:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T12:53:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T12:53:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T12:53:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T12:53:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T12:53:02Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:53:02Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:53:02Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-11-28T12:53:02Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T12:53:02Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-11-28T12:53:02Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T12:53:03Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T12:53:03Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T12:53:03Z INFO Number of language-specific files num=0
2024-11-28T12:53:03Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:241-245
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
241 ┌ viewer_certificate {
242 │ acm_certificate_arn = aws_acm_certificate.cloudfront.arn
243 │ ssl_support_method = "sni-only"
244 │ minimum_protocol_version = "TLSv1.2_2018"
245 └ }
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:119-123
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
119 ┌ metadata_options {
120 │ http_endpoint = "enabled"
121 │ http_tokens = "optional"
122 │ http_put_response_hop_limit = "2"
123 └ }
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 12:53:06,398 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 12:53:06,398 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:188-205

		188 | resource "aws_security_group" "backup_lambda" {
		189 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		190 |   description = "Bakcup Lambda Security Group"
		191 |   vpc_id      = data.aws_vpc.shared.id
		192 | 
		193 |   egress {
		194 |     description = "outbound access"
		195 |     from_port   = 0
		196 |     to_port     = 0
		197 |     protocol    = "-1"
		198 |     cidr_blocks = ["0.0.0.0/0"]
		199 |   }
		200 | 
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		204 |   )
		205 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:249-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		249 | resource "aws_lambda_function" "delete_db_snapshots" {
		250 | 
		251 |   description      = "Clean up script to delete old unused snapshots"
		252 |   function_name    = "deletesnapshotFunction"
		253 |   role             = aws_iam_role.backup_lambda.arn
		254 |   handler          = "deletesnapshots.lambda_handler"
		255 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		256 |   runtime          = "python3.8"
		257 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		258 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		259 |   memory_size      = 3000
		260 |   timeout          = 900
		261 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		262 | 
		263 |   vpc_config {
		264 |     security_group_ids = [aws_security_group.backup_lambda.id]
		265 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		266 |   }
		267 |   tags = merge(
		268 |     local.tags,
		269 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		270 |   )
		271 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:249-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		249 | resource "aws_lambda_function" "delete_db_snapshots" {
		250 | 
		251 |   description      = "Clean up script to delete old unused snapshots"
		252 |   function_name    = "deletesnapshotFunction"
		253 |   role             = aws_iam_role.backup_lambda.arn
		254 |   handler          = "deletesnapshots.lambda_handler"
		255 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		256 |   runtime          = "python3.8"
		257 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		258 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		259 |   memory_size      = 3000
		260 |   timeout          = 900
		261 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		262 | 
		263 |   vpc_config {
		264 |     security_group_ids = [aws_security_group.backup_lambda.id]
		265 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		266 |   }
		267 |   tags = merge(
		268 |     local.tags,
		269 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		270 |   )
		271 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:249-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		249 | resource "aws_lambda_function" "delete_db_snapshots" {
		250 | 
		251 |   description      = "Clean up script to delete old unused snapshots"
		252 |   function_name    = "deletesnapshotFunction"
		253 |   role             = aws_iam_role.backup_lambda.arn
		254 |   handler          = "deletesnapshots.lambda_handler"
		255 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		256 |   runtime          = "python3.8"
		257 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		258 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		259 |   memory_size      = 3000
		260 |   timeout          = 900
		261 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		262 | 
		263 |   vpc_config {
		264 |     security_group_ids = [aws_security_group.backup_lambda.id]
		265 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		266 |   }
		267 |   tags = merge(
		268 |     local.tags,
		269 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		270 |   )
		271 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:249-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		249 | resource "aws_lambda_function" "delete_db_snapshots" {
		250 | 
		251 |   description      = "Clean up script to delete old unused snapshots"
		252 |   function_name    = "deletesnapshotFunction"
		253 |   role             = aws_iam_role.backup_lambda.arn
		254 |   handler          = "deletesnapshots.lambda_handler"
		255 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		256 |   runtime          = "python3.8"
		257 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		258 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		259 |   memory_size      = 3000
		260 |   timeout          = 900
		261 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		262 | 
		263 |   vpc_config {
		264 |     security_group_ids = [aws_security_group.backup_lambda.id]
		265 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		266 |   }
		267 |   tags = merge(
		268 |     local.tags,
		269 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		270 |   )
		271 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Calling File: /alb.tf:27-163

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:128-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		128 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		129 |   bucket = aws_s3_bucket.backup_lambda.id
		130 |   rule {
		131 |     object_ownership = "ObjectWriter"
		132 |   }
		133 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 123:
 123: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 177:
 177: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-11-28T12:52:57Z	INFO	[vulndb] Need to update DB
2024-11-28T12:52:57Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T12:52:57Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T12:53:00Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T12:53:00Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T12:53:00Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T12:53:00Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T12:53:00Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-28T12:53:00Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 906.318µs, allowed: 44000/minute\n\n"
2024-11-28T12:53:00Z	INFO	[secret] Secret scanning is enabled
2024-11-28T12:53:00Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T12:53:00Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T12:53:01Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T12:53:01Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T12:53:01Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:53:01Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:53:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T12:53:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T12:53:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T12:53:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T12:53:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T12:53:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T12:53:02Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:53:02Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:53:02Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-11-28T12:53:02Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T12:53:02Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-11-28T12:53:02Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T12:53:03Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T12:53:03Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T12:53:03Z	INFO	Number of language-specific files	num=0
2024-11-28T12:53:03Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:241-245
   via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 241viewer_certificate {
 242acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
 243ssl_support_method       = "sni-only"
 244minimum_protocol_version = "TLSv1.2_2018"
 245 └   }
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132bucket = aws_s3_bucket.cloudfront.id
 133rule {
 134apply_server_side_encryption_by_default {
 135sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6resource "aws_instance" "apex_db_instance" {
   7ami                         = local.application_data.accounts[local.environment].ec2amiid
   8associate_public_ip_address = false
   9availability_zone           = "eu-west-2a"
  10ebs_optimized               = true
  11instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12vpc_security_group_ids      = [aws_security_group.database.id]
  13monitoring                  = true
  14subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:119-123
   via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
    via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 119metadata_options {
 120http_endpoint               = "enabled"
 121http_tokens                 = "optional"
 122http_put_response_hop_limit = "2"
 123 └   }
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-11-28T12:53:55Z INFO [vulndb] Need to update DB
2024-11-28T12:53:55Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T12:53:55Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T12:53:59Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T12:53:59Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T12:53:59Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T12:53:59Z INFO [misconfig] Need to update the built-in checks
2024-11-28T12:53:59Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-28T12:53:59Z INFO [secret] Secret scanning is enabled
2024-11-28T12:53:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T12:53:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T12:54:00Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T12:54:00Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T12:54:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:54:00Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:54:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T12:54:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T12:54:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T12:54:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T12:54:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T12:54:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T12:54:01Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:54:01Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:54:01Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-11-28T12:54:01Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T12:54:01Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-11-28T12:54:01Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T12:54:02Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T12:54:02Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-11-28T12:54:03Z INFO Number of language-specific files num=0
2024-11-28T12:54:03Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 12:54:05,674 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 12:54:05,675 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:188-205

		188 | resource "aws_security_group" "backup_lambda" {
		189 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		190 |   description = "Bakcup Lambda Security Group"
		191 |   vpc_id      = data.aws_vpc.shared.id
		192 | 
		193 |   egress {
		194 |     description = "outbound access"
		195 |     from_port   = 0
		196 |     to_port     = 0
		197 |     protocol    = "-1"
		198 |     cidr_blocks = ["0.0.0.0/0"]
		199 |   }
		200 | 
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		204 |   )
		205 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:219-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		219 | resource "aws_lambda_function" "create_db_snapshots" {
		220 | 
		221 |   description      = "Snapshot volumes for Oracle EC2"
		222 |   function_name    = "snapshotDBFunction"
		223 |   role             = aws_iam_role.backup_lambda.arn
		224 |   handler          = "snapshot/dbsnapshot.handler"
		225 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		226 |   runtime          = "nodejs18.x"
		227 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		228 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		229 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		230 |   memory_size      = 128
		231 |   timeout          = 900
		232 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		233 | 
		234 |   environment {
		235 |     variables = {
		236 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		237 |     }
		238 |   }
		239 |   vpc_config {
		240 |     security_group_ids = [aws_security_group.backup_lambda.id]
		241 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		242 |   }
		243 |   tags = merge(
		244 |     local.tags,
		245 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		246 |   )
		247 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:249-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		249 | resource "aws_lambda_function" "delete_db_snapshots" {
		250 | 
		251 |   description      = "Clean up script to delete old unused snapshots"
		252 |   function_name    = "deletesnapshotFunction"
		253 |   role             = aws_iam_role.backup_lambda.arn
		254 |   handler          = "deletesnapshots.lambda_handler"
		255 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		256 |   runtime          = "python3.8"
		257 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		258 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		259 |   memory_size      = 3000
		260 |   timeout          = 900
		261 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		262 | 
		263 |   vpc_config {
		264 |     security_group_ids = [aws_security_group.backup_lambda.id]
		265 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		266 |   }
		267 |   tags = merge(
		268 |     local.tags,
		269 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		270 |   )
		271 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:249-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		249 | resource "aws_lambda_function" "delete_db_snapshots" {
		250 | 
		251 |   description      = "Clean up script to delete old unused snapshots"
		252 |   function_name    = "deletesnapshotFunction"
		253 |   role             = aws_iam_role.backup_lambda.arn
		254 |   handler          = "deletesnapshots.lambda_handler"
		255 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		256 |   runtime          = "python3.8"
		257 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		258 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		259 |   memory_size      = 3000
		260 |   timeout          = 900
		261 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		262 | 
		263 |   vpc_config {
		264 |     security_group_ids = [aws_security_group.backup_lambda.id]
		265 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		266 |   }
		267 |   tags = merge(
		268 |     local.tags,
		269 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		270 |   )
		271 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:249-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		249 | resource "aws_lambda_function" "delete_db_snapshots" {
		250 | 
		251 |   description      = "Clean up script to delete old unused snapshots"
		252 |   function_name    = "deletesnapshotFunction"
		253 |   role             = aws_iam_role.backup_lambda.arn
		254 |   handler          = "deletesnapshots.lambda_handler"
		255 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		256 |   runtime          = "python3.8"
		257 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		258 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		259 |   memory_size      = 3000
		260 |   timeout          = 900
		261 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		262 | 
		263 |   vpc_config {
		264 |     security_group_ids = [aws_security_group.backup_lambda.id]
		265 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		266 |   }
		267 |   tags = merge(
		268 |     local.tags,
		269 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		270 |   )
		271 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:249-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		249 | resource "aws_lambda_function" "delete_db_snapshots" {
		250 | 
		251 |   description      = "Clean up script to delete old unused snapshots"
		252 |   function_name    = "deletesnapshotFunction"
		253 |   role             = aws_iam_role.backup_lambda.arn
		254 |   handler          = "deletesnapshots.lambda_handler"
		255 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		256 |   runtime          = "python3.8"
		257 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		258 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		259 |   memory_size      = 3000
		260 |   timeout          = 900
		261 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		262 | 
		263 |   vpc_config {
		264 |     security_group_ids = [aws_security_group.backup_lambda.id]
		265 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		266 |   }
		267 |   tags = merge(
		268 |     local.tags,
		269 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		270 |   )
		271 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:273-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		273 | resource "aws_lambda_function" "connect_db" {
		274 | 
		275 |   description      = "SSH to the DB EC2"
		276 |   function_name    = "connectDBFunction"
		277 |   role             = aws_iam_role.backup_lambda.arn
		278 |   handler          = "ssh/dbconnect.handler"
		279 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		280 |   runtime          = "nodejs18.x"
		281 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		282 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		283 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		284 |   memory_size      = 128
		285 |   timeout          = 900
		286 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		287 | 
		288 | 
		289 | 
		290 |   environment {
		291 |     variables = {
		292 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		293 | 
		294 |     }
		295 |   }
		296 |   vpc_config {
		297 |     security_group_ids = [aws_security_group.backup_lambda.id]
		298 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		299 |   }
		300 |   tags = merge(
		301 |     local.tags,
		302 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		303 |   )
		304 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Calling File: /alb.tf:27-163

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:128-133
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		128 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		129 |   bucket = aws_s3_bucket.backup_lambda.id
		130 |   rule {
		131 |     object_ownership = "ObjectWriter"
		132 |   }
		133 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 123:
 123: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 177:
 177: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-11-28T12:53:55Z	INFO	[vulndb] Need to update DB
2024-11-28T12:53:55Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T12:53:55Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T12:53:59Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T12:53:59Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T12:53:59Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T12:53:59Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T12:53:59Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-28T12:53:59Z	INFO	[secret] Secret scanning is enabled
2024-11-28T12:53:59Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T12:53:59Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T12:54:00Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T12:54:00Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T12:54:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:54:00Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:54:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T12:54:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T12:54:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T12:54:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T12:54:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T12:54:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T12:54:01Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:54:01Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T12:54:01Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-11-28T12:54:01Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T12:54:01Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-11-28T12:54:01Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T12:54:02Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T12:54:02Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-11-28T12:54:03Z	INFO	Number of language-specific files	num=0
2024-11-28T12:54:03Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-11-28T13:09:06Z INFO [vulndb] Need to update DB
2024-11-28T13:09:06Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T13:09:06Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T13:09:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T13:09:08Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T13:09:08Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T13:09:08Z INFO [misconfig] Need to update the built-in checks
2024-11-28T13:09:08Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-28T13:09:08Z INFO [secret] Secret scanning is enabled
2024-11-28T13:09:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T13:09:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T13:09:09Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T13:09:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T13:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T13:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T13:09:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T13:09:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T13:09:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T13:09:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T13:09:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T13:09:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T13:09:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T13:09:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T13:09:10Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-11-28T13:09:10Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T13:09:10Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-11-28T13:09:10Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T13:09:11Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T13:09:11Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-11-28T13:09:12Z INFO Number of language-specific files num=0
2024-11-28T13:09:12Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 13:09:14,700 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 13:09:14,700 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:184-201

		184 | resource "aws_security_group" "backup_lambda" {
		185 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		186 |   description = "Bakcup Lambda Security Group"
		187 |   vpc_id      = data.aws_vpc.shared.id
		188 | 
		189 |   egress {
		190 |     description = "outbound access"
		191 |     from_port   = 0
		192 |     to_port     = 0
		193 |     protocol    = "-1"
		194 |     cidr_blocks = ["0.0.0.0/0"]
		195 |   }
		196 | 
		197 |   tags = merge(
		198 |     local.tags,
		199 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		200 |   )
		201 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Calling File: /alb.tf:27-163

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-11-28T13:09:06Z	INFO	[vulndb] Need to update DB
2024-11-28T13:09:06Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T13:09:06Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T13:09:08Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T13:09:08Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T13:09:08Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T13:09:08Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T13:09:08Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-28T13:09:08Z	INFO	[secret] Secret scanning is enabled
2024-11-28T13:09:08Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T13:09:08Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T13:09:09Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T13:09:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T13:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T13:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T13:09:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T13:09:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T13:09:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T13:09:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T13:09:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T13:09:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T13:09:10Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T13:09:10Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T13:09:10Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-11-28T13:09:10Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T13:09:10Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-11-28T13:09:10Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T13:09:11Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T13:09:11Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-11-28T13:09:12Z	INFO	Number of language-specific files	num=0
2024-11-28T13:09:12Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101 ┌ resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-11-28T14:12:43Z INFO [vulndb] Need to update DB
2024-11-28T14:12:43Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T14:12:43Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T14:12:46Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T14:12:46Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T14:12:46Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T14:12:46Z INFO [misconfig] Need to update the built-in checks
2024-11-28T14:12:46Z INFO [misconfig] Downloading the built-in checks...
2024-11-28T14:12:46Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 831.067µs, allowed: 44000/minute\n\n"
2024-11-28T14:12:46Z INFO [secret] Secret scanning is enabled
2024-11-28T14:12:46Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T14:12:46Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T14:12:47Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T14:12:47Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T14:12:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:12:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:12:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T14:12:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T14:12:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T14:12:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T14:12:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T14:12:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T14:12:48Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:12:48Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:12:48Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-11-28T14:12:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T14:12:48Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-11-28T14:12:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T14:12:49Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T14:12:49Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T14:12:49Z INFO Number of language-specific files num=0
2024-11-28T14:12:49Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:241-245
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
241 ┌ viewer_certificate {
242 │ acm_certificate_arn = aws_acm_certificate.cloudfront.arn
243 │ ssl_support_method = "sni-only"
244 │ minimum_protocol_version = "TLSv1.2_2018"
245 └ }
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:119-123
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
119 ┌ metadata_options {
120 │ http_endpoint = "enabled"
121 │ http_tokens = "optional"
122 │ http_put_response_hop_limit = "2"
123 └ }
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 14:12:52,067 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 14:12:52,067 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:184-201

		184 | resource "aws_security_group" "backup_lambda" {
		185 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		186 |   description = "Bakcup Lambda Security Group"
		187 |   vpc_id      = data.aws_vpc.shared.id
		188 | 
		189 |   egress {
		190 |     description = "outbound access"
		191 |     from_port   = 0
		192 |     to_port     = 0
		193 |     protocol    = "-1"
		194 |     cidr_blocks = ["0.0.0.0/0"]
		195 |   }
		196 | 
		197 |   tags = merge(
		198 |     local.tags,
		199 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		200 |   )
		201 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Calling File: /alb.tf:27-163

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-11-28T14:12:43Z	INFO	[vulndb] Need to update DB
2024-11-28T14:12:43Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T14:12:43Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T14:12:46Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T14:12:46Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T14:12:46Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T14:12:46Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T14:12:46Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-28T14:12:46Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 831.067µs, allowed: 44000/minute\n\n"
2024-11-28T14:12:46Z	INFO	[secret] Secret scanning is enabled
2024-11-28T14:12:46Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T14:12:46Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T14:12:47Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T14:12:47Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T14:12:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:12:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:12:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T14:12:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T14:12:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T14:12:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T14:12:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T14:12:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T14:12:48Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:12:48Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:12:48Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-11-28T14:12:48Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T14:12:48Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-11-28T14:12:48Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T14:12:49Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T14:12:49Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T14:12:49Z	INFO	Number of language-specific files	num=0
2024-11-28T14:12:49Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:241-245
   via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 241viewer_certificate {
 242acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
 243ssl_support_method       = "sni-only"
 244minimum_protocol_version = "TLSv1.2_2018"
 245 └   }
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132bucket = aws_s3_bucket.cloudfront.id
 133rule {
 134apply_server_side_encryption_by_default {
 135sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6resource "aws_instance" "apex_db_instance" {
   7ami                         = local.application_data.accounts[local.environment].ec2amiid
   8associate_public_ip_address = false
   9availability_zone           = "eu-west-2a"
  10ebs_optimized               = true
  11instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12vpc_security_group_ids      = [aws_security_group.database.id]
  13monitoring                  = true
  14subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:119-123
   via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
    via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 119metadata_options {
 120http_endpoint               = "enabled"
 121http_tokens                 = "optional"
 122http_put_response_hop_limit = "2"
 123 └   }
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-11-28T14:50:48Z INFO [vulndb] Need to update DB
2024-11-28T14:50:48Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T14:50:48Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T14:50:51Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T14:50:51Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T14:50:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T14:50:51Z INFO [misconfig] Need to update the built-in checks
2024-11-28T14:50:51Z INFO [misconfig] Downloading the built-in checks...
2024-11-28T14:50:51Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 629.901µs, allowed: 44000/minute"
2024-11-28T14:50:51Z INFO [secret] Secret scanning is enabled
2024-11-28T14:50:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T14:50:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T14:50:52Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T14:50:52Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T14:50:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:50:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:50:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T14:50:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T14:50:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T14:50:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T14:50:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T14:50:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T14:50:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:50:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:50:54Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-11-28T14:50:54Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T14:50:54Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-11-28T14:50:54Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T14:50:55Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T14:50:55Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T14:50:55Z INFO Number of language-specific files num=0
2024-11-28T14:50:55Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:241-245
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
241 ┌ viewer_certificate {
242 │ acm_certificate_arn = aws_acm_certificate.cloudfront.arn
243 │ ssl_support_method = "sni-only"
244 │ minimum_protocol_version = "TLSv1.2_2018"
245 └ }
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:119-123
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
119 ┌ metadata_options {
120 │ http_endpoint = "enabled"
121 │ http_tokens = "optional"
122 │ http_put_response_hop_limit = "2"
123 └ }
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 14:50:58,690 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 14:50:58,690 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:184-201

		184 | resource "aws_security_group" "backup_lambda" {
		185 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		186 |   description = "Bakcup Lambda Security Group"
		187 |   vpc_id      = data.aws_vpc.shared.id
		188 | 
		189 |   egress {
		190 |     description = "outbound access"
		191 |     from_port   = 0
		192 |     to_port     = 0
		193 |     protocol    = "-1"
		194 |     cidr_blocks = ["0.0.0.0/0"]
		195 |   }
		196 | 
		197 |   tags = merge(
		198 |     local.tags,
		199 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		200 |   )
		201 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Calling File: /alb.tf:27-163

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-11-28T14:50:48Z	INFO	[vulndb] Need to update DB
2024-11-28T14:50:48Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T14:50:48Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T14:50:51Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T14:50:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T14:50:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T14:50:51Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T14:50:51Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-28T14:50:51Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 629.901µs, allowed: 44000/minute"
2024-11-28T14:50:51Z	INFO	[secret] Secret scanning is enabled
2024-11-28T14:50:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T14:50:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T14:50:52Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T14:50:52Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T14:50:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:50:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:50:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T14:50:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T14:50:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T14:50:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T14:50:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T14:50:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T14:50:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:50:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T14:50:54Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-11-28T14:50:54Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T14:50:54Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-11-28T14:50:54Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T14:50:55Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T14:50:55Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T14:50:55Z	INFO	Number of language-specific files	num=0
2024-11-28T14:50:55Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:241-245
   via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 241viewer_certificate {
 242acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
 243ssl_support_method       = "sni-only"
 244minimum_protocol_version = "TLSv1.2_2018"
 245 └   }
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132bucket = aws_s3_bucket.cloudfront.id
 133rule {
 134apply_server_side_encryption_by_default {
 135sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6resource "aws_instance" "apex_db_instance" {
   7ami                         = local.application_data.accounts[local.environment].ec2amiid
   8associate_public_ip_address = false
   9availability_zone           = "eu-west-2a"
  10ebs_optimized               = true
  11instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12vpc_security_group_ids      = [aws_security_group.database.id]
  13monitoring                  = true
  14subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:119-123
   via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
    via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 119metadata_options {
 120http_endpoint               = "enabled"
 121http_tokens                 = "optional"
 122http_put_response_hop_limit = "2"
 123 └   }
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@mnasr-moj
replacing source code hash function with value calculated manually si…
b13fe02 
…nce the nodejs.zip file is no longer in the local directory as it was manually uploaded
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-11-28T15:35:03Z INFO [vulndb] Need to update DB
2024-11-28T15:35:03Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T15:35:03Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:35:06Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:35:06Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T15:35:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T15:35:06Z INFO [misconfig] Need to update the built-in checks
2024-11-28T15:35:06Z INFO [misconfig] Downloading the built-in checks...
2024-11-28T15:35:06Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 472.128µs, allowed: 44000/minute"
2024-11-28T15:35:06Z INFO [secret] Secret scanning is enabled
2024-11-28T15:35:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T15:35:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T15:35:08Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T15:35:08Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T15:35:08Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:35:08Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:35:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T15:35:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T15:35:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T15:35:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T15:35:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T15:35:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T15:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:35:09Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-11-28T15:35:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T15:35:09Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-11-28T15:35:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T15:35:10Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T15:35:10Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T15:35:10Z INFO Number of language-specific files num=0
2024-11-28T15:35:10Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:241-245
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
241 ┌ viewer_certificate {
242 │ acm_certificate_arn = aws_acm_certificate.cloudfront.arn
243 │ ssl_support_method = "sni-only"
244 │ minimum_protocol_version = "TLSv1.2_2018"
245 └ }
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:119-123
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
119 ┌ metadata_options {
120 │ http_endpoint = "enabled"
121 │ http_tokens = "optional"
122 │ http_put_response_hop_limit = "2"
123 └ }
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 15:35:13,661 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 15:35:13,661 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:251-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		251 | resource "aws_lambda_function" "delete_db_snapshots" {
		252 | 
		253 |   description      = "Clean up script to delete old unused snapshots"
		254 |   function_name    = "deletesnapshotFunction"
		255 |   role             = aws_iam_role.backup_lambda.arn
		256 |   handler          = "deletesnapshots.lambda_handler"
		257 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		258 |   runtime          = "python3.8"
		259 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		260 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		261 |   memory_size      = 3000
		262 |   timeout          = 900
		263 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		264 | 
		265 |   vpc_config {
		266 |     security_group_ids = [aws_security_group.backup_lambda.id]
		267 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		268 |   }
		269 |   tags = merge(
		270 |     local.tags,
		271 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		272 |   )
		273 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:251-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		251 | resource "aws_lambda_function" "delete_db_snapshots" {
		252 | 
		253 |   description      = "Clean up script to delete old unused snapshots"
		254 |   function_name    = "deletesnapshotFunction"
		255 |   role             = aws_iam_role.backup_lambda.arn
		256 |   handler          = "deletesnapshots.lambda_handler"
		257 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		258 |   runtime          = "python3.8"
		259 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		260 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		261 |   memory_size      = 3000
		262 |   timeout          = 900
		263 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		264 | 
		265 |   vpc_config {
		266 |     security_group_ids = [aws_security_group.backup_lambda.id]
		267 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		268 |   }
		269 |   tags = merge(
		270 |     local.tags,
		271 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		272 |   )
		273 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:251-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		251 | resource "aws_lambda_function" "delete_db_snapshots" {
		252 | 
		253 |   description      = "Clean up script to delete old unused snapshots"
		254 |   function_name    = "deletesnapshotFunction"
		255 |   role             = aws_iam_role.backup_lambda.arn
		256 |   handler          = "deletesnapshots.lambda_handler"
		257 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		258 |   runtime          = "python3.8"
		259 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		260 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		261 |   memory_size      = 3000
		262 |   timeout          = 900
		263 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		264 | 
		265 |   vpc_config {
		266 |     security_group_ids = [aws_security_group.backup_lambda.id]
		267 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		268 |   }
		269 |   tags = merge(
		270 |     local.tags,
		271 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		272 |   )
		273 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:251-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		251 | resource "aws_lambda_function" "delete_db_snapshots" {
		252 | 
		253 |   description      = "Clean up script to delete old unused snapshots"
		254 |   function_name    = "deletesnapshotFunction"
		255 |   role             = aws_iam_role.backup_lambda.arn
		256 |   handler          = "deletesnapshots.lambda_handler"
		257 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		258 |   runtime          = "python3.8"
		259 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		260 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		261 |   memory_size      = 3000
		262 |   timeout          = 900
		263 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		264 | 
		265 |   vpc_config {
		266 |     security_group_ids = [aws_security_group.backup_lambda.id]
		267 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		268 |   }
		269 |   tags = merge(
		270 |     local.tags,
		271 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		272 |   )
		273 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Calling File: /alb.tf:27-163

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-11-28T15:35:03Z	INFO	[vulndb] Need to update DB
2024-11-28T15:35:03Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T15:35:03Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:35:06Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:35:06Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T15:35:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T15:35:06Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T15:35:06Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-28T15:35:06Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 472.128µs, allowed: 44000/minute"
2024-11-28T15:35:06Z	INFO	[secret] Secret scanning is enabled
2024-11-28T15:35:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T15:35:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T15:35:08Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T15:35:08Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T15:35:08Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:35:08Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:35:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T15:35:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T15:35:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T15:35:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T15:35:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T15:35:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T15:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:35:09Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-11-28T15:35:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T15:35:09Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-11-28T15:35:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T15:35:10Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T15:35:10Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T15:35:10Z	INFO	Number of language-specific files	num=0
2024-11-28T15:35:10Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:241-245
   via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 241viewer_certificate {
 242acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
 243ssl_support_method       = "sni-only"
 244minimum_protocol_version = "TLSv1.2_2018"
 245 └   }
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132bucket = aws_s3_bucket.cloudfront.id
 133rule {
 134apply_server_side_encryption_by_default {
 135sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6resource "aws_instance" "apex_db_instance" {
   7ami                         = local.application_data.accounts[local.environment].ec2amiid
   8associate_public_ip_address = false
   9availability_zone           = "eu-west-2a"
  10ebs_optimized               = true
  11instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12vpc_security_group_ids      = [aws_security_group.database.id]
  13monitoring                  = true
  14subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107resource "aws_s3_bucket" "backup_lambda" {
 108bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107resource "aws_s3_bucket" "backup_lambda" {
 108bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:119-123
   via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
    via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 119metadata_options {
 120http_endpoint               = "enabled"
 121http_tokens                 = "optional"
 122http_put_response_hop_limit = "2"
 123 └   }
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-11-28T15:46:01Z INFO [vulndb] Need to update DB
2024-11-28T15:46:01Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T15:46:01Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:46:03Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:46:03Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T15:46:03Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T15:46:03Z INFO [misconfig] Need to update the built-in checks
2024-11-28T15:46:03Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-28T15:46:04Z INFO [secret] Secret scanning is enabled
2024-11-28T15:46:04Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T15:46:04Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T15:46:05Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T15:46:05Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T15:46:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:46:05Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:46:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T15:46:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T15:46:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T15:46:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T15:46:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T15:46:06Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T15:46:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:46:06Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:46:06Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-11-28T15:46:06Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T15:46:06Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-11-28T15:46:06Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T15:46:08Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-11-28T15:46:08Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T15:46:08Z INFO Number of language-specific files num=0
2024-11-28T15:46:08Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 15:46:10,716 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 15:46:10,716 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:221-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		221 | resource "aws_lambda_function" "create_db_snapshots" {
		222 | 
		223 |   description      = "Snapshot volumes for Oracle EC2"
		224 |   function_name    = "snapshotDBFunction"
		225 |   role             = aws_iam_role.backup_lambda.arn
		226 |   handler          = "snapshot/dbsnapshot.handler"
		227 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		228 |   runtime          = "nodejs18.x"
		229 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		230 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		231 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		232 |   memory_size      = 128
		233 |   timeout          = 900
		234 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		235 | 
		236 |   environment {
		237 |     variables = {
		238 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		239 |     }
		240 |   }
		241 |   vpc_config {
		242 |     security_group_ids = [aws_security_group.backup_lambda.id]
		243 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		244 |   }
		245 |   tags = merge(
		246 |     local.tags,
		247 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		248 |   )
		249 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:251-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		251 | resource "aws_lambda_function" "delete_db_snapshots" {
		252 | 
		253 |   description      = "Clean up script to delete old unused snapshots"
		254 |   function_name    = "deletesnapshotFunction"
		255 |   role             = aws_iam_role.backup_lambda.arn
		256 |   handler          = "deletesnapshots.lambda_handler"
		257 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		258 |   runtime          = "python3.8"
		259 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		260 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		261 |   memory_size      = 3000
		262 |   timeout          = 900
		263 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		264 | 
		265 |   vpc_config {
		266 |     security_group_ids = [aws_security_group.backup_lambda.id]
		267 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		268 |   }
		269 |   tags = merge(
		270 |     local.tags,
		271 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		272 |   )
		273 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:251-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		251 | resource "aws_lambda_function" "delete_db_snapshots" {
		252 | 
		253 |   description      = "Clean up script to delete old unused snapshots"
		254 |   function_name    = "deletesnapshotFunction"
		255 |   role             = aws_iam_role.backup_lambda.arn
		256 |   handler          = "deletesnapshots.lambda_handler"
		257 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		258 |   runtime          = "python3.8"
		259 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		260 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		261 |   memory_size      = 3000
		262 |   timeout          = 900
		263 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		264 | 
		265 |   vpc_config {
		266 |     security_group_ids = [aws_security_group.backup_lambda.id]
		267 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		268 |   }
		269 |   tags = merge(
		270 |     local.tags,
		271 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		272 |   )
		273 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:251-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		251 | resource "aws_lambda_function" "delete_db_snapshots" {
		252 | 
		253 |   description      = "Clean up script to delete old unused snapshots"
		254 |   function_name    = "deletesnapshotFunction"
		255 |   role             = aws_iam_role.backup_lambda.arn
		256 |   handler          = "deletesnapshots.lambda_handler"
		257 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		258 |   runtime          = "python3.8"
		259 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		260 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		261 |   memory_size      = 3000
		262 |   timeout          = 900
		263 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		264 | 
		265 |   vpc_config {
		266 |     security_group_ids = [aws_security_group.backup_lambda.id]
		267 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		268 |   }
		269 |   tags = merge(
		270 |     local.tags,
		271 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		272 |   )
		273 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:251-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		251 | resource "aws_lambda_function" "delete_db_snapshots" {
		252 | 
		253 |   description      = "Clean up script to delete old unused snapshots"
		254 |   function_name    = "deletesnapshotFunction"
		255 |   role             = aws_iam_role.backup_lambda.arn
		256 |   handler          = "deletesnapshots.lambda_handler"
		257 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		258 |   runtime          = "python3.8"
		259 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		260 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		261 |   memory_size      = 3000
		262 |   timeout          = 900
		263 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		264 | 
		265 |   vpc_config {
		266 |     security_group_ids = [aws_security_group.backup_lambda.id]
		267 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		268 |   }
		269 |   tags = merge(
		270 |     local.tags,
		271 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		272 |   )
		273 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:275-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		275 | resource "aws_lambda_function" "connect_db" {
		276 | 
		277 |   description      = "SSH to the DB EC2"
		278 |   function_name    = "connectDBFunction"
		279 |   role             = aws_iam_role.backup_lambda.arn
		280 |   handler          = "ssh/dbconnect.handler"
		281 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		282 |   runtime          = "nodejs18.x"
		283 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		284 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		285 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		286 |   memory_size      = 128
		287 |   timeout          = 900
		288 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		289 | 
		290 | 
		291 | 
		292 |   environment {
		293 |     variables = {
		294 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		295 | 
		296 |     }
		297 |   }
		298 |   vpc_config {
		299 |     security_group_ids = [aws_security_group.backup_lambda.id]
		300 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		301 |   }
		302 |   tags = merge(
		303 |     local.tags,
		304 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		305 |   )
		306 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Calling File: /alb.tf:27-163

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-11-28T15:46:01Z	INFO	[vulndb] Need to update DB
2024-11-28T15:46:01Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T15:46:01Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:46:03Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:46:03Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T15:46:03Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T15:46:03Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T15:46:03Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-28T15:46:04Z	INFO	[secret] Secret scanning is enabled
2024-11-28T15:46:04Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T15:46:04Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T15:46:05Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T15:46:05Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T15:46:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:46:05Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:46:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T15:46:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T15:46:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T15:46:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T15:46:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T15:46:06Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T15:46:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:46:06Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:46:06Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-11-28T15:46:06Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T15:46:06Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-11-28T15:46:06Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T15:46:08Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-11-28T15:46:08Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T15:46:08Z	INFO	Number of language-specific files	num=0
2024-11-28T15:46:08Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-11-28T15:48:18Z INFO [vulndb] Need to update DB
2024-11-28T15:48:18Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T15:48:18Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:48:21Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:48:21Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T15:48:21Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T15:48:21Z INFO [misconfig] Need to update the built-in checks
2024-11-28T15:48:21Z INFO [misconfig] Downloading the built-in checks...
2024-11-28T15:48:21Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 713.884µs, allowed: 44000/minute"
2024-11-28T15:48:21Z INFO [secret] Secret scanning is enabled
2024-11-28T15:48:21Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T15:48:21Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T15:48:22Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T15:48:22Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T15:48:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:48:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:48:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T15:48:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T15:48:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T15:48:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T15:48:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T15:48:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T15:48:23Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:48:23Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:48:23Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-11-28T15:48:23Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T15:48:23Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-11-28T15:48:23Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-11-28T15:48:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T15:48:24Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T15:48:25Z INFO Number of language-specific files num=0
2024-11-28T15:48:25Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:241-245
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
241 ┌ viewer_certificate {
242 │ acm_certificate_arn = aws_acm_certificate.cloudfront.arn
243 │ ssl_support_method = "sni-only"
244 │ minimum_protocol_version = "TLSv1.2_2018"
245 └ }
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:119-123
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
119 ┌ metadata_options {
120 │ http_endpoint = "enabled"
121 │ http_tokens = "optional"
122 │ http_put_response_hop_limit = "2"
123 └ }
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 15:48:28,030 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-28 15:48:28,030 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373
	Calling File: /alb.tf:27-163

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-11-28T15:48:18Z	INFO	[vulndb] Need to update DB
2024-11-28T15:48:18Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T15:48:18Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:48:21Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T15:48:21Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T15:48:21Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T15:48:21Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T15:48:21Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-28T15:48:21Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 713.884µs, allowed: 44000/minute"
2024-11-28T15:48:21Z	INFO	[secret] Secret scanning is enabled
2024-11-28T15:48:21Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T15:48:21Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T15:48:22Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T15:48:22Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T15:48:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:48:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:48:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-11-28T15:48:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-11-28T15:48:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-11-28T15:48:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-28T15:48:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-28T15:48:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-11-28T15:48:23Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:48:23Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T15:48:23Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-11-28T15:48:23Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T15:48:23Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-11-28T15:48:23Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-11-28T15:48:24Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-11-28T15:48:24Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-11-28T15:48:25Z	INFO	Number of language-specific files	num=0
2024-11-28T15:48:25Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:241-245
   via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 241viewer_certificate {
 242acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
 243ssl_support_method       = "sni-only"
 244minimum_protocol_version = "TLSv1.2_2018"
 245 └   }
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132bucket = aws_s3_bucket.cloudfront.id
 133rule {
 134apply_server_side_encryption_by_default {
 135sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6resource "aws_instance" "apex_db_instance" {
   7ami                         = local.application_data.accounts[local.environment].ec2amiid
   8associate_public_ip_address = false
   9availability_zone           = "eu-west-2a"
  10ebs_optimized               = true
  11instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12vpc_security_group_ids      = [aws_security_group.database.id]
  13monitoring                  = true
  14subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107resource "aws_s3_bucket" "backup_lambda" {
 108bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107resource "aws_s3_bucket" "backup_lambda" {
 108bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:119-123
   via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
    via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 119metadata_options {
 120http_endpoint               = "enabled"
 121http_tokens                 = "optional"
 122http_put_response_hop_limit = "2"
 123 └   }
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

vc13837
vc13837 previously approved these changes Dec 3, 2024
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-03T12:31:13Z INFO [vulndb] Need to update DB
2024-12-03T12:31:13Z INFO [vulndb] Downloading vulnerability DB...
2024-12-03T12:31:13Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T12:31:15Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T12:31:15Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T12:31:15Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T12:31:15Z INFO [misconfig] Need to update the built-in checks
2024-12-03T12:31:15Z INFO [misconfig] Downloading the built-in checks...
2024-12-03T12:31:15Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 1.052826ms, allowed: 44000/minute\n\n"
2024-12-03T12:31:15Z INFO [secret] Secret scanning is enabled
2024-12-03T12:31:15Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T12:31:15Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T12:31:16Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T12:31:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-03T12:31:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T12:31:16Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T12:31:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T12:31:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T12:31:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T12:31:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T12:31:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T12:31:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T12:31:17Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T12:31:17Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T12:31:17Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-03T12:31:17Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T12:31:17Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-03T12:31:17Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T12:31:18Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-12-03T12:31:18Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T12:31:19Z INFO Number of language-specific files num=0
2024-12-03T12:31:19Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:241-245
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
241 ┌ viewer_certificate {
242 │ acm_certificate_arn = aws_acm_certificate.cloudfront.arn
243 │ ssl_support_method = "sni-only"
244 │ minimum_protocol_version = "TLSv1.2_2018"
245 └ }
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:119-123
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
119 ┌ metadata_options {
120 │ http_endpoint = "enabled"
121 │ http_tokens = "optional"
122 │ http_put_response_hop_limit = "2"
123 └ }
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-03 12:31:21,751 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-03 12:31:21,751 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = false
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-03T12:31:13Z	INFO	[vulndb] Need to update DB
2024-12-03T12:31:13Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-03T12:31:13Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T12:31:15Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T12:31:15Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T12:31:15Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T12:31:15Z	INFO	[misconfig] Need to update the built-in checks
2024-12-03T12:31:15Z	INFO	[misconfig] Downloading the built-in checks...
2024-12-03T12:31:15Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 1.052826ms, allowed: 44000/minute\n\n"
2024-12-03T12:31:15Z	INFO	[secret] Secret scanning is enabled
2024-12-03T12:31:15Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T12:31:15Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T12:31:16Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T12:31:16Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-03T12:31:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T12:31:16Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T12:31:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T12:31:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T12:31:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T12:31:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T12:31:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T12:31:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T12:31:17Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T12:31:17Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T12:31:17Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-03T12:31:17Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T12:31:17Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-03T12:31:17Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T12:31:18Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-12-03T12:31:18Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T12:31:19Z	INFO	Number of language-specific files	num=0
2024-12-03T12:31:19Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:241-245
   via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 241viewer_certificate {
 242acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
 243ssl_support_method       = "sni-only"
 244minimum_protocol_version = "TLSv1.2_2018"
 245 └   }
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132bucket = aws_s3_bucket.cloudfront.id
 133rule {
 134apply_server_side_encryption_by_default {
 135sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6resource "aws_instance" "apex_db_instance" {
   7ami                         = local.application_data.accounts[local.environment].ec2amiid
   8associate_public_ip_address = false
   9availability_zone           = "eu-west-2a"
  10ebs_optimized               = true
  11instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12vpc_security_group_ids      = [aws_security_group.database.id]
  13monitoring                  = true
  14subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107resource "aws_s3_bucket" "backup_lambda" {
 108bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107resource "aws_s3_bucket" "backup_lambda" {
 108bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:119-123
   via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
    via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 119metadata_options {
 120http_endpoint               = "enabled"
 121http_tokens                 = "optional"
 122http_put_response_hop_limit = "2"
 123 └   }
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-03T14:07:13Z INFO [vulndb] Need to update DB
2024-12-03T14:07:13Z INFO [vulndb] Downloading vulnerability DB...
2024-12-03T14:07:13Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:07:16Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:07:16Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T14:07:16Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T14:07:16Z INFO [misconfig] Need to update the built-in checks
2024-12-03T14:07:16Z INFO [misconfig] Downloading the built-in checks...
2024-12-03T14:07:16Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 845.342µs, allowed: 44000/minute\n\n"
2024-12-03T14:07:16Z INFO [secret] Secret scanning is enabled
2024-12-03T14:07:16Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:07:16Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:07:17Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T14:07:17Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-03T14:07:17Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:07:17Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:07:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T14:07:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T14:07:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T14:07:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T14:07:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T14:07:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T14:07:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:07:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:07:18Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-03T14:07:18Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T14:07:18Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-03T14:07:18Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T14:07:20Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T14:07:20Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-12-03T14:07:20Z INFO Number of language-specific files num=0
2024-12-03T14:07:20Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:241-245
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
241 ┌ viewer_certificate {
242 │ acm_certificate_arn = aws_acm_certificate.cloudfront.arn
243 │ ssl_support_method = "sni-only"
244 │ minimum_protocol_version = "TLSv1.2_2018"
245 └ }
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:119-123
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
119 ┌ metadata_options {
120 │ http_endpoint = "enabled"
121 │ http_tokens = "optional"
122 │ http_put_response_hop_limit = "2"
123 └ }
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-03 14:07:23,567 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-03 14:07:23,567 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = false
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-03T14:07:13Z	INFO	[vulndb] Need to update DB
2024-12-03T14:07:13Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-03T14:07:13Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:07:16Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:07:16Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T14:07:16Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T14:07:16Z	INFO	[misconfig] Need to update the built-in checks
2024-12-03T14:07:16Z	INFO	[misconfig] Downloading the built-in checks...
2024-12-03T14:07:16Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 845.342µs, allowed: 44000/minute\n\n"
2024-12-03T14:07:16Z	INFO	[secret] Secret scanning is enabled
2024-12-03T14:07:16Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:07:16Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:07:17Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T14:07:17Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-03T14:07:17Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:07:17Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:07:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T14:07:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T14:07:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T14:07:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T14:07:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T14:07:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T14:07:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:07:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:07:18Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-03T14:07:18Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T14:07:18Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-03T14:07:18Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T14:07:20Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T14:07:20Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:210-234"
2024-12-03T14:07:20Z	INFO	Number of language-specific files	num=0
2024-12-03T14:07:20Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:241-245
   via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 241viewer_certificate {
 242acm_certificate_arn      = aws_acm_certificate.cloudfront.arn
 243ssl_support_method       = "sni-only"
 244minimum_protocol_version = "TLSv1.2_2018"
 245 └   }
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132bucket = aws_s3_bucket.cloudfront.id
 133rule {
 134apply_server_side_encryption_by_default {
 135sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6resource "aws_instance" "apex_db_instance" {
   7ami                         = local.application_data.accounts[local.environment].ec2amiid
   8associate_public_ip_address = false
   9availability_zone           = "eu-west-2a"
  10ebs_optimized               = true
  11instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12vpc_security_group_ids      = [aws_security_group.database.id]
  13monitoring                  = true
  14subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107resource "aws_s3_bucket" "backup_lambda" {
 108bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107resource "aws_s3_bucket" "backup_lambda" {
 108bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:119-123
   via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
    via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 119metadata_options {
 120http_endpoint               = "enabled"
 121http_tokens                 = "optional"
 122http_put_response_hop_limit = "2"
 123 └   }
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1resource "aws_s3_bucket" "laa-lambda-backup" {
   2bucket = var.bucket_name
   3tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@mnasr-moj
terraform plan says the hash value has changed if I try to use the ch…
d1f49e5 
…ecksum_256 attribute from aws_s3_object, so reverting back to hard coded value
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-03T14:16:26Z INFO [vulndb] Need to update DB
2024-12-03T14:16:26Z INFO [vulndb] Downloading vulnerability DB...
2024-12-03T14:16:26Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:16:28Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:16:28Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T14:16:28Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T14:16:28Z INFO [misconfig] Need to update the built-in checks
2024-12-03T14:16:28Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-03T14:16:29Z INFO [secret] Secret scanning is enabled
2024-12-03T14:16:29Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:16:29Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:16:31Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T14:16:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:16:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:16:31Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-03T14:16:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T14:16:31Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-03T14:16:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T14:16:33Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-03T14:16:33Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T14:16:33Z INFO Number of language-specific files num=0
2024-12-03T14:16:33Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-40
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-03 14:16:35,489 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-03 14:16:35,489 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = false
		19 | 
		20 | 
		21 |   root_block_device {
		22 |     delete_on_termination = false
		23 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		24 |     volume_size           = 60
		25 |     volume_type           = "gp2"
		26 |     tags = merge(
		27 |       local.tags,
		28 |       { "Name" = "${local.application_name}db-ec2-root" },
		29 |       { "backup" = "false" }
		30 |     )
		31 |   }
		32 | 
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { "Name" = local.database_ec2_name },
		36 |     { "instance-scheduling" = "skip-scheduling" },
		37 |     { "backup" = "false" },
		38 |     local.backup_schedule_tags
		39 |   )
		40 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:77-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		77 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		78 |   security_group_id            = aws_security_group.database.id
		79 |   description                  = "Allow Lambda SSH access for backup snapshots"
		80 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		81 |   from_port                    = 22
		82 |   ip_protocol                  = "tcp"
		83 |   to_port                      = 22
		84 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:105-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		106 |   security_group_id = aws_security_group.database.id
		107 |   cidr_ipv4         = "0.0.0.0/0"
		108 |   ip_protocol       = "-1"
		109 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:136-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		136 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		137 |   name = "${local.application_name}-ec2-policy"
		138 |   role = aws_iam_role.ec2_instance_role.id
		139 |   policy = jsonencode({
		140 |     Version = "2012-10-17"
		141 |     Statement = [
		142 |       {
		143 |         Effect = "Allow",
		144 |         Action = [
		145 |           "logs:CreateLogGroup",
		146 |           "logs:CreateLogStream",
		147 |           "logs:DescribeLogStreams",
		148 |           "logs:PutRetentionPolicy",
		149 |           "logs:PutLogEvents",
		150 |           "logs:DescribeLogGroups",
		151 |           "cloudwatch:PutMetricData",
		152 |           "cloudwatch:GetMetricStatistics",
		153 |           "cloudwatch:ListMetrics",
		154 |           "ec2:DescribeInstances",
		155 |         ],
		156 |         Resource = "*"
		157 |       },
		158 |       {
		159 |         Effect = "Allow",
		160 |         Action = [
		161 |           "ec2:CreateTags"
		162 |         ],
		163 |         Resource = "*"
		164 |       }
		165 |     ]
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:269-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		269 | resource "aws_cloudwatch_log_group" "database" {
		270 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		271 |   retention_in_days = 0
		272 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		273 |   tags = merge(
		274 |     local.tags,
		275 |     {
		276 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		277 |     }
		278 |   )
		279 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:294-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		294 | resource "aws_cloudwatch_log_group" "pmon_status" {
		295 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		296 |   retention_in_days = 0
		297 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		298 |   tags = merge(
		299 |     local.tags,
		300 |     {
		301 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		302 |     }
		303 |   )
		304 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:169-184
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		169 | resource "aws_ebs_volume" "u01-orahome" {
		170 |   availability_zone = "eu-west-2a"
		171 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		172 |   type              = "gp3"
		173 |   encrypted         = true
		174 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		175 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		176 |   lifecycle {
		177 |     ignore_changes = [kms_key_id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		182 |     { "backup" = "false" }
		183 |   )
		184 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:191-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		191 | resource "aws_ebs_volume" "u02-oradata" {
		192 |   availability_zone = "eu-west-2a"
		193 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		194 |   type              = "gp3"
		195 |   encrypted         = true
		196 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		197 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		198 |   lifecycle {
		199 |     ignore_changes = [kms_key_id]
		200 |   }
		201 |   tags = merge(
		202 |     local.tags,
		203 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		204 |     { "backup" = "false" }
		205 |   )
		206 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:216-231
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		216 | resource "aws_ebs_volume" "u03-redo" {
		217 |   availability_zone = "eu-west-2a"
		218 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		219 |   type              = "gp3"
		220 |   encrypted         = true
		221 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		222 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		223 |   lifecycle {
		224 |     ignore_changes = [kms_key_id]
		225 |   }
		226 |   tags = merge(
		227 |     local.tags,
		228 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		229 |     { "backup" = "false" }
		230 |   )
		231 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:238-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		238 | resource "aws_ebs_volume" "u04-arch" {
		239 |   availability_zone = "eu-west-2a"
		240 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		241 |   type              = "gp3"
		242 |   encrypted         = true
		243 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		244 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		245 |   lifecycle {
		246 |     ignore_changes = [kms_key_id]
		247 |   }
		248 |   tags = merge(
		249 |     local.tags,
		250 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		251 |     { "backup" = "false" }
		252 |   )
		253 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 42:
  42: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-03T14:16:26Z	INFO	[vulndb] Need to update DB
2024-12-03T14:16:26Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-03T14:16:26Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:16:28Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T14:16:28Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T14:16:28Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T14:16:28Z	INFO	[misconfig] Need to update the built-in checks
2024-12-03T14:16:28Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-03T14:16:29Z	INFO	[secret] Secret scanning is enabled
2024-12-03T14:16:29Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T14:16:29Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T14:16:31Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T14:16:31Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:16:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T14:16:31Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-03T14:16:31Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T14:16:31Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-03T14:16:31Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T14:16:33Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-03T14:16:33Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T14:16:33Z	INFO	Number of language-specific files	num=0
2024-12-03T14:16:33Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-40
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-03T16:02:50Z INFO [vulndb] Need to update DB
2024-12-03T16:02:50Z INFO [vulndb] Downloading vulnerability DB...
2024-12-03T16:02:50Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T16:02:52Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T16:02:52Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T16:02:52Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T16:02:52Z INFO [misconfig] Need to update the built-in checks
2024-12-03T16:02:52Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-03T16:02:53Z INFO [secret] Secret scanning is enabled
2024-12-03T16:02:53Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T16:02:53Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T16:02:55Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T16:02:55Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-03T16:02:55Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:02:55Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:02:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T16:02:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T16:02:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T16:02:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T16:02:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T16:02:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T16:02:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:02:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:02:56Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-03T16:02:56Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T16:02:56Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-03T16:02:56Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T16:02:58Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T16:02:58Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-03T16:02:58Z INFO Number of language-specific files num=0
2024-12-03T16:02:58Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-03 16:03:01,004 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-03 16:03:01,004 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = false
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-03T16:02:50Z	INFO	[vulndb] Need to update DB
2024-12-03T16:02:50Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-03T16:02:50Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T16:02:52Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T16:02:52Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T16:02:52Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T16:02:52Z	INFO	[misconfig] Need to update the built-in checks
2024-12-03T16:02:52Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-03T16:02:53Z	INFO	[secret] Secret scanning is enabled
2024-12-03T16:02:53Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T16:02:53Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T16:02:55Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T16:02:55Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-03T16:02:55Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:02:55Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:02:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T16:02:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T16:02:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T16:02:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T16:02:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T16:02:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T16:02:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:02:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:02:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-03T16:02:56Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T16:02:56Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-03T16:02:56Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T16:02:58Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T16:02:58Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-03T16:02:58Z	INFO	Number of language-specific files	num=0
2024-12-03T16:02:58Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 3, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-03T16:07:48Z INFO [vulndb] Need to update DB
2024-12-03T16:07:48Z INFO [vulndb] Downloading vulnerability DB...
2024-12-03T16:07:48Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T16:07:50Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T16:07:50Z INFO [vuln] Vulnerability scanning is enabled
2024-12-03T16:07:50Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-03T16:07:50Z INFO [misconfig] Need to update the built-in checks
2024-12-03T16:07:50Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-03T16:07:51Z INFO [secret] Secret scanning is enabled
2024-12-03T16:07:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T16:07:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T16:07:52Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-03T16:07:52Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-03T16:07:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:07:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:07:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T16:07:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T16:07:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T16:07:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T16:07:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T16:07:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T16:07:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:07:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:07:53Z INFO [terraform scanner] Scanning root module file_path="modules/lambdapolicy"
2024-12-03T16:07:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T16:07:53Z INFO [terraform scanner] Scanning root module file_path="modules/s3"
2024-12-03T16:07:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="tags"
2024-12-03T16:07:55Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-03T16:07:55Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T16:07:55Z INFO Number of language-specific files num=0
2024-12-03T16:07:55Z INFO Detected config files num=12

cloudfront.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting minimum_protocol_version = "TLSv1.2_2021" is only possible when cloudfront_default_certificate is false (eg. you are not using the cloudfront.net domain name).
If cloudfront_default_certificate is true then the Cloudfront API will only allow setting minimum_protocol_version = "TLSv1", and setting it to any other value will result in a perpetual diff in your terraform plan's.
The only option when using the cloudfront.net domain name is to ignore this rule.

See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
cloudfront.tf:244
via cloudfront.tf:241-245 (viewer_certificate)
via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
177 resource "aws_cloudfront_distribution" "external" {
...
244 [ minimum_protocol_version = "TLSv1.2_2018"
...
267 }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
cloudfront.tf:131-142
────────────────────────────────────────
131 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
132 │ bucket = aws_s3_bucket.cloudfront.id
133 │ rule {
134 │ apply_server_side_encryption_by_default {
135 │ sse_algorithm = "AES256"
136 │ }
137 │ }
138 │ # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
139 └ lifecycle {
...
────────────────────────────────────────

ec2.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:6-43
────────────────────────────────────────
6 ┌ resource "aws_instance" "apex_db_instance" {
7 │ ami = local.application_data.accounts[local.environment].ec2amiid
8 │ associate_public_ip_address = false
9 │ availability_zone = "eu-west-2a"
10 │ ebs_optimized = true
11 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
12 │ vpc_security_group_ids = [aws_security_group.database.id]
13 │ monitoring = true
14 └ subnet_id = data.aws_subnet.data_subnets_a.id
..
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:107-113
────────────────────────────────────────
107 ┌ resource "aws_s3_bucket" "backup_lambda" {
108 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
109 │ tags = merge(
110 │ local.tags,
111 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
112 │ )
113 └ }
────────────────────────────────────────

modules/ecs/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
modules/ecs/main.tf:121
via modules/ecs/main.tf:119-123 (metadata_options)
via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
107 resource "aws_launch_template" "ec2-launch-template" {
...
121 [ http_tokens = "optional"
...
164 }
────────────────────────────────────────

modules/s3/main.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3/main.tf:1-4
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
2 │ bucket = var.bucket_name
3 │ tags = var.tags
4 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-03 16:07:58,649 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-03 16:07:58,649 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-03T16:07:48Z	INFO	[vulndb] Need to update DB
2024-12-03T16:07:48Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-03T16:07:48Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T16:07:50Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-03T16:07:50Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-03T16:07:50Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-03T16:07:50Z	INFO	[misconfig] Need to update the built-in checks
2024-12-03T16:07:50Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-03T16:07:51Z	INFO	[secret] Secret scanning is enabled
2024-12-03T16:07:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-03T16:07:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-03T16:07:52Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-03T16:07:52Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-03T16:07:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:07:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_waf_ipset.wafmanualallowset" err="1 error occurred:\n\t* invalid for-each in aws_waf_ipset.wafmanualallowset.dynamic.ip_set_descriptors block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:07:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_network_services" value="cty.NilVal"
2024-12-03T16:07:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_core_vpc" value="cty.NilVal"
2024-12-03T16:07:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.aws_route53_record.external_lb_validation_self" value="cty.NilVal"
2024-12-03T16:07:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-12-03T16:07:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-12-03T16:07:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alb.data.aws_route53_zone.self" value="cty.NilVal"
2024-12-03T16:07:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:07:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.apex-ecs.aws_autoscaling_group.cluster-scaling-group" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.cluster-scaling-group.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-03T16:07:53Z	INFO	[terraform scanner] Scanning root module	file_path="modules/lambdapolicy"
2024-12-03T16:07:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T16:07:53Z	INFO	[terraform scanner] Scanning root module	file_path="modules/s3"
2024-12-03T16:07:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="tags"
2024-12-03T16:07:55Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="modules/alb/main.tf:214"
2024-12-03T16:07:55Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-03T16:07:55Z	INFO	Number of language-specific files	num=0
2024-12-03T16:07:55Z	INFO	Detected config files	num=12

cloudfront.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0013 (HIGH): Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name).
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s.
The only option when using the cloudfront.net domain name is to ignore this rule.


See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 cloudfront.tf:244
   via cloudfront.tf:241-245 (viewer_certificate)
    via cloudfront.tf:177-267 (aws_cloudfront_distribution.external)
────────────────────────────────────────
 177   resource "aws_cloudfront_distribution" "external" {
 ...   
 244 [     minimum_protocol_version = "TLSv1.2_2018"
 ...   
 267   }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 cloudfront.tf:131-142
────────────────────────────────────────
 131resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
 132 │   bucket = aws_s3_bucket.cloudfront.id
 133 │   rule {
 134 │     apply_server_side_encryption_by_default {
 135 │       sse_algorithm = "AES256"
 136 │     }
 137 │   }
 138# TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
 139 └   lifecycle {
 ...   
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:6-43
────────────────────────────────────────
   6 ┌ resource "aws_instance" "apex_db_instance" {
   7 │   ami                         = local.application_data.accounts[local.environment].ec2amiid
   8 │   associate_public_ip_address = false
   9 │   availability_zone           = "eu-west-2a"
  10 │   ebs_optimized               = true
  11 │   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
  12 │   vpc_security_group_ids      = [aws_security_group.database.id]
  13 │   monitoring                  = true
  14 └   subnet_id                   = data.aws_subnet.data_subnets_a.id
  ..   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:107-113
────────────────────────────────────────
 107 ┌ resource "aws_s3_bucket" "backup_lambda" {
 108 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 109 │   tags = merge(
 110 │     local.tags,
 111 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 112 │   )
 113 └ }
────────────────────────────────────────



modules/ecs/main.tf (terraform)
===============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0130 (HIGH): Launch template does not require IMDS access to require a token
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enforce-http-token-imds
────────────────────────────────────────
 modules/ecs/main.tf:121
   via modules/ecs/main.tf:119-123 (metadata_options)
    via modules/ecs/main.tf:107-164 (aws_launch_template.ec2-launch-template)
     via ecs.tf:5-38 (module.apex-ecs)
────────────────────────────────────────
 107   resource "aws_launch_template" "ec2-launch-template" {
 ...   
 121 [     http_tokens                 = "optional"
 ...   
 164   }
────────────────────────────────────────



modules/s3/main.tf (terraform)
==============================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3/main.tf:1-4
────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "laa-lambda-backup" {
   2 │   bucket = var.bucket_name
   3 │   tags   = var.tags
   4 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 4, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-04T11:48:49Z INFO [vulndb] Need to update DB
2024-12-04T11:48:49Z INFO [vulndb] Downloading vulnerability DB...
2024-12-04T11:48:49Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-04T11:48:51Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-04T11:48:51Z INFO [vuln] Vulnerability scanning is enabled
2024-12-04T11:48:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-04T11:48:51Z INFO [misconfig] Need to update the built-in checks
2024-12-04T11:48:51Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-04T11:48:53Z INFO [secret] Secret scanning is enabled
2024-12-04T11:48:53Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-04T11:48:53Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-04T11:48:54Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-04T11:48:54Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00028d2b1?}}, {0x0?, 0x0?}})
/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc00d6b4700, 0xc00968ce10)
/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc00d6b4700)
/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc0027a6dc0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc0027a6dc0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc0027a6dc0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc0027a6dc0, {0x58f3078, 0xc002a9c210})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc003111860, {0x58f3078, 0xc002a9c210}, 0xc00c871cc0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc003111860, {0x58f3078, 0xc002a9c210}, 0xc009572e10)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc003111860, {0x58f3078, 0xc002a9c210})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc0039240a0, {0x58f3078, 0xc002a9c210}, 0xc00babadc0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc0039240a0, {0x58f3078, 0xc002a9c210}, 0xc009266cf0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc0039240a0, {0x58f3078, 0xc002a9c210})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc009ca47e0, {0x58f3078, 0xc002a9c210})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc000ee7560, {0x58f3078, 0xc002a9c210}, {0x58b12c0, 0xc00354a0f0}, {0x58959e8, 0x1})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc000c79e00, {0x58f3120, 0xc0005f6ee0}, {0x58b12c0, 0xc001513830})
/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc0010a8fa0, {0x58f3120?, 0xc0005f6ee0?}, {{0x58b12c0?, 0xc001513830?}, {0x9?, 0x0?}})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc001500640, {0xc000bb7400, 0x1f, 0x20}, {0xc0012d0600, 0x16, 0x20}, 0xc0015acd50, {0x47ad91d, 0x7}}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7fff1a15bb5e, 0x2d}, {0x7fe860d59cf8, 0xc0010ae180}, {0x58b11e0, 0x827fc80}, {0xc001500640, {0xc000bb7400, 0x1f, 0x20}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0xc0010a9c40, 0x2, 0x2}, {0xc000df5680, ...}, ...})
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {_, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc00007d660, ...}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc0002e9b08, {0xc00078e460, 0x1, 0xa})
/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc0002e9b08, {0xc00078e0a0, 0xa, 0xa})
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc00083bb08)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-04 11:48:59,043 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-04 11:48:59,043 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-04T11:48:49Z	INFO	[vulndb] Need to update DB
2024-12-04T11:48:49Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-04T11:48:49Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-04T11:48:51Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-04T11:48:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-04T11:48:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-04T11:48:51Z	INFO	[misconfig] Need to update the built-in checks
2024-12-04T11:48:51Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-04T11:48:53Z	INFO	[secret] Secret scanning is enabled
2024-12-04T11:48:53Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-04T11:48:53Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-04T11:48:54Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-04T11:48:54Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc00028d2b1?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc00d6b4700, 0xc00968ce10)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc00d6b4700)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc0027a6dc0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc0027a6dc0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc0027a6dc0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc0027a6dc0, {0x58f3078, 0xc002a9c210})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc003111860, {0x58f3078, 0xc002a9c210}, 0xc00c871cc0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc003111860, {0x58f3078, 0xc002a9c210}, 0xc009572e10)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc003111860, {0x58f3078, 0xc002a9c210})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc0039240a0, {0x58f3078, 0xc002a9c210}, 0xc00babadc0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc0039240a0, {0x58f3078, 0xc002a9c210}, 0xc009266cf0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc0039240a0, {0x58f3078, 0xc002a9c210})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc009ca47e0, {0x58f3078, 0xc002a9c210})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc000ee7560, {0x58f3078, 0xc002a9c210}, {0x58b12c0, 0xc00354a0f0}, {0x58959e8, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc000c79e00, {0x58f3120, 0xc0005f6ee0}, {0x58b12c0, 0xc001513830})
	/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc0010a8fa0, {0x58f3120?, 0xc0005f6ee0?}, {{0x58b12c0?, 0xc001513830?}, {0x9?, 0x0?}})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc001500640, {0xc000bb7400, 0x1f, 0x20}, {0xc0012d0600, 0x16, 0x20}, 0xc0015acd50, {0x47ad91d, 0x7}}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7fff1a15bb5e, 0x2d}, {0x7fe860d59cf8, 0xc0010ae180}, {0x58b11e0, 0x827fc80}, {0xc001500640, {0xc000bb7400, 0x1f, 0x20}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc0010a9c40, 0x2, 0x2}, {0xc000df5680, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc00007d660, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc0002e9b08, {0xc00078e460, 0x1, 0xa})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc0002e9b08, {0xc00078e0a0, 0xa, 0xa})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc00083bb08)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

@mnasr-moj mnasr-moj merged commit a105515 into main Dec 4, 2024
14 of 16 checks passed
@mnasr-moj mnasr-moj deleted the TM-756 branch December 4, 2024 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vc13837 vc13837 vc13837 approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mnasr-moj @vc13837