Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TM-775 Allow WorkSpace access to Apex #8993

Merged
merged 2 commits into from
Dec 6, 2024
Merged

TM-775 Allow WorkSpace access to Apex #8993

merged 2 commits into from
Dec 6, 2024

Conversation

vc13837
Copy link
Contributor

@vc13837 vc13837 commented Dec 6, 2024

No description provided.

@vc13837 vc13837 requested review from a team as code owners December 6, 2024 11:10
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 6, 2024
@vc13837 vc13837 temporarily deployed to apex-development December 6, 2024 11:11 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 6, 2024

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 6, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex

Running Trivy in terraform/environments/apex
2024-12-06T12:57:55Z INFO [vulndb] Need to update DB
2024-12-06T12:57:55Z INFO [vulndb] Downloading vulnerability DB...
2024-12-06T12:57:55Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-06T12:57:58Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-06T12:57:58Z INFO [vuln] Vulnerability scanning is enabled
2024-12-06T12:57:58Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-06T12:57:58Z INFO [misconfig] Need to update the built-in checks
2024-12-06T12:57:58Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-06T12:58:00Z INFO [secret] Secret scanning is enabled
2024-12-06T12:58:00Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-06T12:58:00Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-06T12:58:01Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-06T12:58:01Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc0003872b1?}}, {0x0?, 0x0?}})
/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc007dd4540, 0xc006acae10)
/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc007dd4540)
/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc00800b900)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc00800b900)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc00800b900)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc00800b900, {0x58f3078, 0xc0068220f0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc007b8e280, {0x58f3078, 0xc0068220f0}, 0xc00a62efc0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc007b8e280, {0x58f3078, 0xc0068220f0}, 0xc00912ce70)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007b8e280, {0x58f3078, 0xc0068220f0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc007f9a3c0, {0x58f3078, 0xc0068220f0}, 0xc0050cca80)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc007f9a3c0, {0x58f3078, 0xc0068220f0}, 0xc00cbcfbc0)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007f9a3c0, {0x58f3078, 0xc0068220f0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00b996d80, {0x58f3078, 0xc0068220f0})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc001007560, {0x58f3078, 0xc0068220f0}, {0x58b12c0, 0xc006659bc0}, {0x58959e8, 0x1})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc000ff6cc0, {0x58f3120, 0xc000bd7e30}, {0x58b12c0, 0xc000c6d440})
/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000a910a0, {0x58f3120?, 0xc000bd7e30?}, {{0x58b12c0?, 0xc000c6d440?}, {0x9?, 0x0?}})
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc00158a770, {0xc000bf1200, 0x1f, 0x20}, {0xc001354e00, 0x16, 0x20}, 0xc000fb1a10, {0x47ad91d, 0x7}}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffc3fff1b63, 0x2d}, {0x7f6afbb1bfb8, 0xc000c90180}, {0x58b11e0, 0x827fc80}, {0xc00158a770, {0xc000bf1200, 0x1f, 0x20}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{, }, {, }}, {, }, {{0xc001104900, 0x2, 0x2}, {0xc000ebaa00, ...}, ...})
/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(, {, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(, {_, }, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0008b82e0, ...}, ...}, ...}, ...)
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc000b82308, {0xc000cf4280, 0x1, 0xa})
/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000b82308, {0xc000cf4140, 0xa, 0xa})
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc000bbbb08)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex

*****************************

Running Checkov in terraform/environments/apex
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-06 12:58:05,930 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-12-06 12:58:05,930 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 368, Failed checks: 102, Skipped checks: 5, Parsing errors: 1

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.apex
	File: /backups.tf:6-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		6  | resource "aws_backup_vault" "apex" {
		7  |   name = "${local.application_name}-backup-vault"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     { "Name" = "${local.application_name}-backup-vault" },
		11 |   )
		12 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.prod_apex
	File: /backups.tf:64-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		64 | resource "aws_backup_vault" "prod_apex" {
		65 |   count = local.environment == "production" ? 1 : 0
		66 |   name  = "${local.application_name}-production-backup-vault"
		67 |   tags = merge(
		68 |     local.tags,
		69 |     { "Name" = "${local.application_name}-production-backup-vault" },
		70 |   )
		71 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.cloudfront
	File: /cloudfront.tf:157-175
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		157 | resource "aws_s3_bucket_lifecycle_configuration" "cloudfront" {
		158 |   count  = local.environment == "production" ? 1 : 0
		159 |   bucket = aws_s3_bucket.cloudfront.id
		160 | 
		161 |   rule {
		162 |     id = "delete-after-90days"
		163 | 
		164 |     expiration {
		165 |       days = 90
		166 |     }
		167 | 
		168 |     noncurrent_version_expiration {
		169 |       newer_noncurrent_versions = 1
		170 |       noncurrent_days           = 90
		171 |     }
		172 | 
		173 |     status = "Enabled"
		174 |   }
		175 | }

Check: CKV_AWS_310: "Ensure CloudFront distributions should have origin failover configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-310

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_374: "Ensure AWS CloudFront web distribution has geo restriction enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_305: "Ensure CloudFront distribution has a default root object configured"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-305

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.cloudfront
	File: /cloudfront.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		295 | resource "aws_acm_certificate" "cloudfront" {
		296 |   domain_name               = local.cloudfront_domain
		297 |   validation_method         = "DNS"
		298 |   provider                  = aws.us-east-1
		299 |   subject_alternative_names = local.environment == "production" ? null : [local.lower_env_cloudfront_url]
		300 |   tags                      = local.tags
		301 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		302 |   lifecycle {
		303 |     prevent_destroy = false
		304 |   }
		305 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.apex_db_instance
	File: /ec2.tf:6-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		6  | resource "aws_instance" "apex_db_instance" {
		7  |   ami                         = local.application_data.accounts[local.environment].ec2amiid
		8  |   associate_public_ip_address = false
		9  |   availability_zone           = "eu-west-2a"
		10 |   ebs_optimized               = true
		11 |   instance_type               = local.application_data.accounts[local.environment].ec2instancetype
		12 |   vpc_security_group_ids      = [aws_security_group.database.id]
		13 |   monitoring                  = true
		14 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		15 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		16 |   key_name                    = aws_key_pair.apex.key_name
		17 |   user_data_base64            = base64encode(local.database-instance-userdata)
		18 |   user_data_replace_on_change = true
		19 | 
		20 |   lifecycle {
		21 |     ignore_changes = [user_data_base64, user_data_replace_on_change]
		22 |   }
		23 | 
		24 |   root_block_device {
		25 |     delete_on_termination = false
		26 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		27 |     volume_size           = 60
		28 |     volume_type           = "gp2"
		29 |     tags = merge(
		30 |       local.tags,
		31 |       { "Name" = "${local.application_name}db-ec2-root" },
		32 |       { "backup" = "false" }
		33 |     )
		34 |   }
		35 | 
		36 |   tags = merge(
		37 |     local.tags,
		38 |     { "Name" = local.database_ec2_name },
		39 |     { "instance-scheduling" = "skip-scheduling" },
		40 |     { "backup" = "false" },
		41 |     local.backup_schedule_tags
		42 |   )
		43 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_lambda
	File: /ec2.tf:80-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		80 | resource "aws_vpc_security_group_ingress_rule" "db_lambda" {
		81 |   security_group_id            = aws_security_group.database.id
		82 |   description                  = "Allow Lambda SSH access for backup snapshots"
		83 |   referenced_security_group_id = aws_security_group.backup_lambda.id
		84 |   from_port                    = 22
		85 |   ip_protocol                  = "tcp"
		86 |   to_port                      = 22
		87 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /ec2.tf:108-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		108 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		109 |   security_group_id = aws_security_group.database.id
		110 |   cidr_ipv4         = "0.0.0.0/0"
		111 |   ip_protocol       = "-1"
		112 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:139-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		139 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		140 |   name = "${local.application_name}-ec2-policy"
		141 |   role = aws_iam_role.ec2_instance_role.id
		142 |   policy = jsonencode({
		143 |     Version = "2012-10-17"
		144 |     Statement = [
		145 |       {
		146 |         Effect = "Allow",
		147 |         Action = [
		148 |           "logs:CreateLogGroup",
		149 |           "logs:CreateLogStream",
		150 |           "logs:DescribeLogStreams",
		151 |           "logs:PutRetentionPolicy",
		152 |           "logs:PutLogEvents",
		153 |           "logs:DescribeLogGroups",
		154 |           "cloudwatch:PutMetricData",
		155 |           "cloudwatch:GetMetricStatistics",
		156 |           "cloudwatch:ListMetrics",
		157 |           "ec2:DescribeInstances",
		158 |         ],
		159 |         Resource = "*"
		160 |       },
		161 |       {
		162 |         Effect = "Allow",
		163 |         Action = [
		164 |           "ec2:CreateTags"
		165 |         ],
		166 |         Resource = "*"
		167 |       }
		168 |     ]
		169 |   })
		170 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.database
	File: /ec2.tf:272-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		272 | resource "aws_cloudwatch_log_group" "database" {
		273 |   name              = "${upper(local.application_name)}-EC2-database-alert"
		274 |   retention_in_days = 0
		275 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		276 |   tags = merge(
		277 |     local.tags,
		278 |     {
		279 |       Name = "${upper(local.application_name)}-EC2-database-alert"
		280 |     }
		281 |   )
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.pmon_status
	File: /ec2.tf:297-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		297 | resource "aws_cloudwatch_log_group" "pmon_status" {
		298 |   name              = "${upper(local.application_name)}-EC2-database-pmon-status"
		299 |   retention_in_days = 0
		300 |   # kms_key_id = aws_kms_key.cloudwatch_logs_key.arn # Not encrypted in LZ
		301 |   tags = merge(
		302 |     local.tags,
		303 |     {
		304 |       Name = "${upper(local.application_name)}-EC2-database-pmon-status"
		305 |     }
		306 |   )
		307 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.efs
	File: /efs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		1 | resource "aws_kms_key" "efs" {
		2 |   description = "KMS key for encrypting EFS"
		3 |   # enable_key_rotation = true
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /lambda.tf:8-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		8  | resource "aws_ssm_parameter" "ssh_key" {
		9  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		10 |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		11 |   type        = "SecureString"
		12 |   value       = "Placeholder"
		13 | 
		14 |   tags = merge(
		15 |     local.tags,
		16 |     { Name = "EC2_SSH_KEY" }
		17 |   )
		18 |   lifecycle {
		19 |     ignore_changes = [
		20 |       value,
		21 |     ]
		22 |   }
		23 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:51-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		51 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		52 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		53 |   tags = merge(
		54 |     local.tags,
		55 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		56 |   )
		57 |   policy = <<EOF
		58 | {
		59 |     "Version" : "2012-10-17",
		60 |     "Statement": [
		61 |         {
		62 |             "Action": [
		63 |                 "lambda:InvokeFunction",
		64 |                 "ec2:CreateNetworkInterface",
		65 |                 "ec2:DescribeNetworkInterfaces",
		66 |                 "ec2:DeleteNetworkInterface",
		67 |                 "ec2:DescribeSecurityGroups",
		68 |                 "ec2:CreateSnapshot",
		69 |                 "ec2:DeleteSnapshot",
		70 |                 "ec2:DescribeSubnets",
		71 |                 "ec2:DescribeVpcs",
		72 |                 "ec2:DescribeInstances",
		73 |                 "ec2:DescribeAddresses",
		74 |                 "ec2:DescribeInstanceStatus",
		75 |                 "ec2:DescribeVolumes",
		76 |                 "ec2:DescribeSnapshots",
		77 |                 "ec2:CreateTags",
		78 |                 "s3:*",
		79 |                 "ssm:*",
		80 |                 "ses:*",
		81 |                 "logs:*",
		82 |                 "cloudwatch:*",
		83 |                 "sts:AssumeRole"
		84 |             ],
		85 |             "Resource": "*",
		86 |             "Effect": "Allow"
		87 |         }
		88 |     ]
		89 | }
		90 | EOF
		91 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:190-207

		190 | resource "aws_security_group" "backup_lambda" {
		191 |   name        = "${local.application_name}-${local.environment}-backup-lambda-security-group"
		192 |   description = "Bakcup Lambda Security Group"
		193 |   vpc_id      = data.aws_vpc.shared.id
		194 | 
		195 |   egress {
		196 |     description = "outbound access"
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | 
		203 |   tags = merge(
		204 |     local.tags,
		205 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-security-group" }
		206 |   )
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /lambda.tf:222-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		222 | resource "aws_lambda_function" "create_db_snapshots" {
		223 | 
		224 |   description      = "Snapshot volumes for Oracle EC2"
		225 |   function_name    = "snapshotDBFunction"
		226 |   role             = aws_iam_role.backup_lambda.arn
		227 |   handler          = "snapshot/dbsnapshot.handler"
		228 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		229 |   runtime          = "nodejs18.x"
		230 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		231 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		232 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		233 |   memory_size      = 128
		234 |   timeout          = 900
		235 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		236 | 
		237 |   environment {
		238 |     variables = {
		239 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		240 |     }
		241 |   }
		242 |   vpc_config {
		243 |     security_group_ids = [aws_security_group.backup_lambda.id]
		244 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		245 |   }
		246 |   tags = merge(
		247 |     local.tags,
		248 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		249 |   )
		250 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:252-274
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		252 | resource "aws_lambda_function" "delete_db_snapshots" {
		253 | 
		254 |   description      = "Clean up script to delete old unused snapshots"
		255 |   function_name    = "deletesnapshotFunction"
		256 |   role             = aws_iam_role.backup_lambda.arn
		257 |   handler          = "deletesnapshots.lambda_handler"
		258 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		259 |   runtime          = "python3.8"
		260 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		261 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		262 |   memory_size      = 3000
		263 |   timeout          = 900
		264 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		265 | 
		266 |   vpc_config {
		267 |     security_group_ids = [aws_security_group.backup_lambda.id]
		268 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		269 |   }
		270 |   tags = merge(
		271 |     local.tags,
		272 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		273 |   )
		274 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /lambda.tf:276-307
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		276 | resource "aws_lambda_function" "connect_db" {
		277 | 
		278 |   description      = "SSH to the DB EC2"
		279 |   function_name    = "connectDBFunction"
		280 |   role             = aws_iam_role.backup_lambda.arn
		281 |   handler          = "ssh/dbconnect.handler"
		282 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		283 |   runtime          = "nodejs18.x"
		284 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		285 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		286 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		287 |   memory_size      = 128
		288 |   timeout          = 900
		289 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		290 | 
		291 | 
		292 | 
		293 |   environment {
		294 |     variables = {
		295 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		296 | 
		297 |     }
		298 |   }
		299 |   vpc_config {
		300 |     security_group_ids = [aws_security_group.backup_lambda.id]
		301 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		302 |   }
		303 |   tags = merge(
		304 |     local.tags,
		305 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		306 |   )
		307 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: module.alb.aws_acm_certificate.external_lb
	File: /modules/alb/main.tf:427-437
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		427 | resource "aws_acm_certificate" "external_lb" {
		428 | 
		429 |   domain_name               = var.acm_cert_domain_name
		430 |   validation_method         = "DNS"
		431 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		432 |   tags                      = var.tags
		433 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		434 |   lifecycle {
		435 |     prevent_destroy = false
		436 |   }
		437 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alb.s3-bucket[0]
	File: /modules/alb/main.tf:96-151
	Calling File: /alb.tf:27-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket_lifecycle_configuration.report_lifecycle
	File: /modules/codebuild/main.tf:25-39
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		25 | resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
		26 |   bucket = aws_s3_bucket.deployment_report.id
		27 | 
		28 |   rule {
		29 |     id = "monthly-expiration"
		30 |     expiration {
		31 |       days = var.s3_lifecycle_expiration_days
		32 |     }
		33 |     noncurrent_version_expiration {
		34 |       noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
		35 |     }
		36 | 
		37 |     status = "Enabled"
		38 |   }
		39 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: module.apex-ecr-codebuild.aws_ecr_repository.local-ecr
	File: /modules/codebuild/main.tf:52-66
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		52 | resource "aws_ecr_repository" "local-ecr" {
		53 |   name                 = "${var.app_name}-local-ecr"
		54 |   image_tag_mutability = "MUTABLE"
		55 | 
		56 |   image_scanning_configuration {
		57 |     scan_on_push = false
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     var.tags,
		62 |     {
		63 |       Name = "${var.app_name}-local-ecr"
		64 |     },
		65 |   )
		66 | }

Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_316: "Ensure CodeBuild project environments do not have privileged mode enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.app-build
	File: /modules/codebuild/main.tf:163-229
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-316

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_314: "Ensure CodeBuild project environments have a logging configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_codebuild_project.test-build
	File: /modules/codebuild/main.tf:231-280
	Calling File: /codebuild.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-314

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_341: "Ensure Launch template should not have a metadata response hop limit greater than 1"
	FAILED for resource: module.apex-ecs.aws_launch_template.ec2-launch-template
	File: /modules/ecs/main.tf:107-164
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-341

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ec2_instance_policy
	File: /modules/ecs/main.tf:204-237
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		204 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		205 |   name = "${var.app_name}-ec2-instance-policy"
		206 |   tags = merge(
		207 |     var.tags_common,
		208 |     {
		209 |       Name = "${var.app_name}-ec2-instance-policy"
		210 |     }
		211 |   )
		212 |   policy = <<EOF
		213 | {
		214 |     "Version": "2012-10-17",
		215 |     "Statement": [
		216 |         {
		217 |             "Action": [
		218 |                 "ecs:CreateCluster",
		219 |                 "ecs:DeregisterContainerInstance",
		220 |                 "ecs:DiscoverPollEndpoint",
		221 |                 "ecs:Poll",
		222 |                 "ecs:RegisterContainerInstance",
		223 |                 "ecs:StartTelemetrySession",
		224 |                 "ecs:Submit*",
		225 |                 "logs:CreateLogGroup",
		226 |                 "logs:CreateLogStream",
		227 |                 "logs:PutLogEvents",
		228 |                 "logs:DescribeLogStreams",
		229 |                 "ecr:*"
		230 |             ],
		231 |             "Resource": "*",
		232 |             "Effect": "Allow"
		233 |         }
		234 |     ]
		235 | }
		236 | EOF
		237 | }

Check: CKV_AWS_249: "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions"
	FAILED for resource: module.apex-ecs.aws_ecs_task_definition.windows_ecs_task_definition
	File: /modules/ecs/main.tf:266-287
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-the-aws-execution-role-arn-and-task-role-arn-are-different-in-ecs-task-definitions

		266 | resource "aws_ecs_task_definition" "windows_ecs_task_definition" {
		267 |   family             = "${var.app_name}-task-definition"
		268 |   count              = var.container_instance_type == "windows" ? 1 : 0
		269 |   execution_role_arn = aws_iam_role.ecs_task_execution_role.arn # grants the Amazon ECS container agents permission to make AWS API calls on your behalf
		270 |   task_role_arn      = aws_iam_role.ecs_task_execution_role.arn # assumed by the containers running in the task, allowing your application code (on the container) to use other AWS services
		271 |   requires_compatibilities = [
		272 |     "EC2",
		273 |   ]
		274 | 
		275 |   # volume {
		276 |   #   name = var.task_definition_volume
		277 |   # }
		278 | 
		279 |   container_definitions = var.task_definition
		280 | 
		281 |   tags = merge(
		282 |     var.tags_common,
		283 |     {
		284 |       Name = "${var.app_name}-windows-task-definition"
		285 |     }
		286 |   )
		287 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.apex-ecs.aws_iam_policy.ecs_service
	File: /modules/ecs/main.tf:439-467
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		439 | resource "aws_iam_policy" "ecs_service" { #tfsec:ignore:aws-iam-no-policy-wildcards
		440 |   name = "${var.app_name}-ecs-service-policy"
		441 |   tags = merge(
		442 |     var.tags_common,
		443 |     {
		444 |       Name = "${var.app_name}-ecs-service-policy"
		445 |     }
		446 |   )
		447 |   policy = <<EOF
		448 | {
		449 |   "Version": "2012-10-17",
		450 |   "Statement": [
		451 |     {
		452 |       "Effect": "Allow",
		453 |       "Action": [
		454 |         "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		455 |         "elasticloadbalancing:DeregisterTargets",
		456 |         "elasticloadbalancing:Describe*",
		457 |         "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		458 |         "elasticloadbalancing:RegisterTargets",
		459 |         "ec2:Describe*",
		460 |         "ec2:AuthorizeSecurityGroupIngress"
		461 |       ],
		462 |       "Resource": ["*"]
		463 |     }
		464 |   ]
		465 | }
		466 | EOF
		467 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /modules/ecs/main.tf:488-499
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		488 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		489 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		490 |   name              = "${var.app_name}-ecs-container-logs"
		491 |   retention_in_days = 90
		492 |   kms_key_id        = var.log_group_kms_key
		493 |   tags = merge(
		494 |     var.tags_common,
		495 |     {
		496 |       Name = "${var.app_name}-ecs-container-logs"
		497 |     }
		498 |   )
		499 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.apex-ecs.aws_cloudwatch_log_group.ec2
	File: /modules/ecs/main.tf:506-516
	Calling File: /ecs.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		506 | resource "aws_cloudwatch_log_group" "ec2" {
		507 |   name              = "${var.app_name}-ecs-ec2-logs"
		508 |   retention_in_days = 90
		509 |   kms_key_id        = var.log_group_kms_key
		510 |   tags = merge(
		511 |     var.tags_common,
		512 |     {
		513 |       Name = "${var.app_name}-ecs-ec2-logs"
		514 |     }
		515 |   )
		516 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backuplambdapolicy
	File: /modules/lambdapolicy/main.tf:21-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		21 | resource "aws_iam_policy" "backuplambdapolicy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		22 |   name   = var.backup_policy_name
		23 |   tags   = var.tags
		24 |   policy = <<EOF
		25 | {
		26 |     "Version" : "2012-10-17",
		27 |     "Statement": [
		28 |         {
		29 |             "Action": [
		30 |                 "lambda:InvokeFunction",
		31 |                 "ec2:CreateNetworkInterface",
		32 |                 "ec2:DescribeNetworkInterfaces",
		33 |                 "ec2:DeleteNetworkInterface",
		34 |                 "ec2:DescribeSecurityGroups",
		35 |                 "ec2:CreateSnapshot",
		36 |                 "ec2:DeleteSnapshot",
		37 |                 "ec2:DescribeSubnets",
		38 |                 "ec2:DescribeVpcs",
		39 |                 "ec2:DescribeInstances",
		40 |                 "ec2:DescribeAddresses",
		41 |                 "ec2:DescribeInstanceStatus",
		42 |                 "ec2:DescribeVolumes",
		43 |                 "ec2:DescribeSnapshots",
		44 |                 "ec2:CreateTags",
		45 |                 "s3:*",
		46 |                 "ssm:*",
		47 |                 "ses:*",
		48 |                 "logs:*",
		49 |                 "cloudwatch:*",
		50 |                 "sts:AssumeRole"
		51 |             ],
		52 |             "Resource": "*",
		53 |             "Effect": "Allow"
		54 |         }
		55 |     ]
		56 | }
		57 | EOF
		58 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.apex
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "apex" {
		7  |   name = "${local.application_name}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.apex
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.apex.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_176: "Ensure Logging is enabled for WAF Web Access Control Lists"
	FAILED for resource: aws_waf_web_acl.waf_acl
	File: /waf.tf:57-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-31

		57 | resource "aws_waf_web_acl" "waf_acl" {
		58 |   depends_on = [
		59 |     aws_waf_rule.wafmanualallowrule,
		60 |     aws_waf_rule.wafmanualblockrule,
		61 |   ]
		62 |   name        = "${upper(local.application_name)} Whitelisting Requesters"
		63 |   metric_name = "${upper(local.application_name)}WhitelistingRequesters"
		64 |   #   scope    = "CLOUDFRONT"
		65 |   #   provider = aws.us-east-1
		66 |   default_action {
		67 |     type = "BLOCK"
		68 |   }
		69 | 
		70 |   rules {
		71 |     action {
		72 |       type = "ALLOW"
		73 |     }
		74 |     priority = 1
		75 |     rule_id  = aws_waf_rule.wafmanualallowrule.id
		76 |     type     = "REGULAR"
		77 |   }
		78 | 
		79 |   rules {
		80 |     action {
		81 |       type = "BLOCK"
		82 |     }
		83 |     priority = 2
		84 |     rule_id  = aws_waf_rule.wafmanualblockrule.id
		85 |     type     = "REGULAR"
		86 |   }
		87 | }

Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-47

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.alb.aws_secretsmanager_secret.cloudfront
	File: /modules/alb/main.tf:275-278
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		275 | resource "aws_secretsmanager_secret" "cloudfront" {
		276 |   name        = "cloudfront-v1-secret-${var.application_name}"
		277 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		278 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-networking-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.efs
	File: /efs.tf:41-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		41 | resource "aws_efs_file_system" "efs" {
		42 |   encrypted        = true
		43 |   kms_key_id       = aws_kms_key.efs.arn
		44 |   performance_mode = "maxIO"
		45 |   throughput_mode  = "bursting"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "mp-${local.application_name}-efs" }
		50 |   )
		51 | 
		52 |   lifecycle_policy {
		53 |     transition_to_ia = "AFTER_90_DAYS"
		54 |   }
		55 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u01-orahome
	File: /ec2.tf:172-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		172 | resource "aws_ebs_volume" "u01-orahome" {
		173 |   availability_zone = "eu-west-2a"
		174 |   size              = local.application_data.accounts[local.environment].u01_orahome_size
		175 |   type              = "gp3"
		176 |   encrypted         = true
		177 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		178 |   snapshot_id       = local.application_data.accounts[local.environment].u01_orahome_snapshot
		179 |   lifecycle {
		180 |     ignore_changes = [kms_key_id]
		181 |   }
		182 |   tags = merge(
		183 |     local.tags,
		184 |     { "Name" = "${local.application_name}db-ec2-u01-orahome" },
		185 |     { "backup" = "false" }
		186 |   )
		187 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u02-oradata
	File: /ec2.tf:194-209
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		194 | resource "aws_ebs_volume" "u02-oradata" {
		195 |   availability_zone = "eu-west-2a"
		196 |   size              = local.application_data.accounts[local.environment].u02_oradata_size
		197 |   type              = "gp3"
		198 |   encrypted         = true
		199 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		200 |   snapshot_id       = local.application_data.accounts[local.environment].u02_oradata_snapshot
		201 |   lifecycle {
		202 |     ignore_changes = [kms_key_id]
		203 |   }
		204 |   tags = merge(
		205 |     local.tags,
		206 |     { "Name" = "${local.application_name}db-ec2-u02-oradata" },
		207 |     { "backup" = "false" }
		208 |   )
		209 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u03-redo
	File: /ec2.tf:219-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		219 | resource "aws_ebs_volume" "u03-redo" {
		220 |   availability_zone = "eu-west-2a"
		221 |   size              = local.application_data.accounts[local.environment].u03_redo_size
		222 |   type              = "gp3"
		223 |   encrypted         = true
		224 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		225 |   snapshot_id       = local.application_data.accounts[local.environment].u03_redo_snapshot
		226 |   lifecycle {
		227 |     ignore_changes = [kms_key_id]
		228 |   }
		229 |   tags = merge(
		230 |     local.tags,
		231 |     { "Name" = "${local.application_name}db-ec2-u03-redo" },
		232 |     { "backup" = "false" }
		233 |   )
		234 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.u04-arch
	File: /ec2.tf:241-256
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		241 | resource "aws_ebs_volume" "u04-arch" {
		242 |   availability_zone = "eu-west-2a"
		243 |   size              = local.application_data.accounts[local.environment].u04_arch_size
		244 |   type              = "gp3"
		245 |   encrypted         = true
		246 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		247 |   snapshot_id       = local.application_data.accounts[local.environment].u04_arch_snapshot
		248 |   lifecycle {
		249 |     ignore_changes = [kms_key_id]
		250 |   }
		251 |   tags = merge(
		252 |     local.tags,
		253 |     { "Name" = "${local.application_name}db-ec2-u04-arch" },
		254 |     { "backup" = "false" }
		255 |   )
		256 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:130-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		130 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		131 |   bucket = aws_s3_bucket.backup_lambda.id
		132 |   rule {
		133 |     object_ownership = "ObjectWriter"
		134 |   }
		135 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: module.alb.aws_lb_target_group.alb_target_group
	File: /modules/alb/main.tf:346-373

		346 | resource "aws_lb_target_group" "alb_target_group" {
		347 |   name                 = "${var.application_name}-alb-tg"
		348 |   port                 = var.target_group_port
		349 |   protocol             = var.target_group_protocol
		350 |   vpc_id               = var.vpc_id
		351 |   deregistration_delay = var.target_group_deregistration_delay
		352 |   health_check {
		353 |     interval            = var.healthcheck_interval
		354 |     path                = var.healthcheck_path
		355 |     protocol            = var.healthcheck_protocol
		356 |     timeout             = var.healthcheck_timeout
		357 |     healthy_threshold   = var.healthcheck_healthy_threshold
		358 |     unhealthy_threshold = var.healthcheck_unhealthy_threshold
		359 |   }
		360 |   stickiness {
		361 |     enabled         = var.stickiness_enabled
		362 |     type            = var.stickiness_type
		363 |     cookie_duration = var.stickiness_cookie_duration
		364 |   }
		365 | 
		366 |   tags = merge(
		367 |     var.tags,
		368 |     {
		369 |       Name = "${var.application_name}-alb-tg"
		370 |     },
		371 |   )
		372 | 
		373 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.cloudfront
	File: /cloudfront.tf:109-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		109 | resource "aws_s3_bucket" "cloudfront" {
		110 |   bucket = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		111 |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		112 |   tags = merge(
		113 |     local.tags,
		114 |     {
		115 |       Name = "laa-${local.application_name}-cloudfront-logging-${local.environment}"
		116 |     }
		117 |   )
		118 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		119 |   lifecycle {
		120 |     prevent_destroy = false
		121 |   }
		122 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:107-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		107 | resource "aws_s3_bucket" "backup_lambda" {
		108 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		109 |   tags = merge(
		110 |     local.tags,
		111 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		112 |   )
		113 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.laa-lambda-backup
	File: /modules/s3/main.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "laa-lambda-backup" {
		2 |   bucket = var.bucket_name
		3 |   tags   = var.tags
		4 | }

Check: CKV2_AWS_46: "Ensure AWS CloudFront Distribution with S3 have Origin Access set to enabled"
	FAILED for resource: aws_cloudfront_distribution.external
	File: /cloudfront.tf:177-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-aws-cloudfromt-distribution-with-s3-have-origin-access-set-to-enabled

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.deployment_report
	File: /modules/codebuild/main.tf:5-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		5  | resource "aws_s3_bucket" "deployment_report" {
		6  |   bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		7  |   # force_destroy = true # Enable to recreate bucket deleting everything inside
		8  |   tags = merge(
		9  |     var.tags,
		10 |     {
		11 |       Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
		12 |     },
		13 |   )
		14 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: module.apex-ecr-codebuild.aws_s3_bucket.codebuild_resources
	File: /modules/codebuild/main.tf:102-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		102 | resource "aws_s3_bucket" "codebuild_resources" {
		103 |   bucket = "laa-${var.app_name}-management-resourcebucket"
		104 |   # force_destroy = true
		105 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/apex

*****************************

Running tflint in terraform/environments/apex
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 17:
  17:     "${local.application_data.accounts[local.environment].acm_cert_domain_name}" = {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/alb.tf line 19:
  19:       zone_name = "${local.application_data.accounts[local.environment].acm_cert_domain_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/cloudwatch.tf line 401:
 401: data "template_file" "dashboard" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/ec2.tf line 45:
  45: data "local_file" "cloudwatch_agent" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/apex/event_triggers.tf line 22:
  22:   input = jsonencode({ "appname" : "${local.database_ec2_name}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 125:
 125: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/lambda.tf line 179:
 179: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex

*****************************

Running Trivy in terraform/environments/apex
2024-12-06T12:57:55Z	INFO	[vulndb] Need to update DB
2024-12-06T12:57:55Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-06T12:57:55Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-06T12:57:58Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-06T12:57:58Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-06T12:57:58Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-06T12:57:58Z	INFO	[misconfig] Need to update the built-in checks
2024-12-06T12:57:58Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-06T12:58:00Z	INFO	[secret] Secret scanning is enabled
2024-12-06T12:58:00Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-06T12:58:00Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-06T12:58:01Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-06T12:58:01Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
panic: value is null

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x58f5110?, 0xc0003872b1?}}, {0x0?, 0x0?}})
	/home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.15.0/cty/value_ops.go:1390 +0x10b
github.com/aquasecurity/trivy/pkg/iac/terraform.postProcessValues(0xc007dd4540, 0xc006acae10)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/presets.go:52 +0x393
github.com/aquasecurity/trivy/pkg/iac/terraform.(*Block).Values(0xc007dd4540)
	/home/runner/work/trivy/trivy/pkg/iac/terraform/block.go:580 +0x185
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).getResources(0xc00800b900)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:581 +0x18e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateStep(0xc00800b900)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:99 +0x195
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSteps(0xc00800b900)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:246 +0x152
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc00800b900, {0x58f3078, 0xc0068220f0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:135 +0x1eb
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc007b8e280, {0x58f3078, 0xc0068220f0}, 0xc00a62efc0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc007b8e280, {0x58f3078, 0xc0068220f0}, 0xc00912ce70)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007b8e280, {0x58f3078, 0xc0068220f0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodule(0xc007f9a3c0, {0x58f3078, 0xc0068220f0}, 0xc0050cca80)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:228 +0x1bc
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).evaluateSubmodules(0xc007f9a3c0, {0x58f3078, 0xc0068220f0}, 0xc00cbcfbc0)
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:164 +0x43f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*evaluator).EvaluateAll(0xc007f9a3c0, {0x58f3078, 0xc0068220f0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/evaluator.go:142 +0x294
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser.(*Parser).EvaluateAll(0xc00b996d80, {0x58f3078, 0xc0068220f0})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/parser/parser.go:342 +0x90
github.com/aquasecurity/trivy/pkg/iac/scanners/terraform.(*Scanner).ScanFS(0xc001007560, {0x58f3078, 0xc0068220f0}, {0x58b12c0, 0xc006659bc0}, {0x58959e8, 0x1})
	/home/runner/work/trivy/trivy/pkg/iac/scanners/terraform/scanner.go:132 +0x726
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0xc000ff6cc0, {0x58f3120, 0xc000bd7e30}, {0x58b12c0, 0xc000c6d440})
	/home/runner/work/trivy/trivy/pkg/misconf/scanner.go:151 +0x297
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0xc000a910a0, {0x58f3120?, 0xc000bd7e30?}, {{0x58b12c0?, 0xc000c6d440?}, {0x9?, 0x0?}})
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:44 +0x46
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc00158a770, {0xc000bf1200, 0x1f, 0x20}, {0xc001354e00, 0x16, 0x20}, 0xc000fb1a10, {0x47ad91d, 0x7}}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:505 +0x2e2
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x7ffc3fff1b63, 0x2d}, {0x7f6afbb1bfb8, 0xc000c90180}, {0x58b11e0, 0x827fc80}, {0xc00158a770, {0xc000bf1200, 0x1f, 0x20}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:121 +0x4c9
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc001104900, 0x2, 0x2}, {0xc000ebaa00, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:156 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:620 +0x32b
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0xb1
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xc5
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x211
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x47c4a2d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0008b82e0, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:385 +0x8cb
github.com/aquasecurity/trivy/pkg/commands.NewFilesystemCommand.func2(0xc000b82308, {0xc000cf4280, 0x1, 0xa})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:383 +0x19c
github.com/spf13/cobra.(*Command).execute(0xc000b82308, {0xc000cf4140, 0xa, 0xa})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:985 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc000bbbb08)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1117 +0x3ff
github.com/spf13/cobra.(*Command).Execute(0x48176bb?)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.1/command.go:1041 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
trivy_exitcode=2

@vc13837 vc13837 merged commit 752178d into main Dec 6, 2024
13 of 15 checks passed
@vc13837 vc13837 deleted the TM-775 branch December 6, 2024 13:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnasr-moj mnasr-moj mnasr-moj approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vc13837 @mnasr-moj