Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require individual policies for each MIS database type #9173

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

bill-buchan
Copy link
Contributor

No description provided.

@bill-buchan bill-buchan requested review from a team as code owners December 20, 2024 16:18
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 20, 2024
@bill-buchan bill-buchan had a problem deploying to delius-mis-development December 20, 2024 16:19 — with GitHub Actions Failure
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-12-20T16:20:37Z INFO [vulndb] Need to update DB
2024-12-20T16:20:37Z INFO [vulndb] Downloading vulnerability DB...
2024-12-20T16:20:37Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T16:20:39Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T16:20:39Z INFO [vuln] Vulnerability scanning is enabled
2024-12-20T16:20:39Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-20T16:20:39Z INFO [misconfig] Need to update the built-in checks
2024-12-20T16:20:39Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-20T16:20:40Z INFO [secret] Secret scanning is enabled
2024-12-20T16:20:40Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T16:20:40Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T16:20:41Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-20T16:20:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, instance_roles, platform_vars, public_keys, tags"
2024-12-20T16:20:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-12-20T16:20:43Z INFO Number of language-specific files num=0
2024-12-20T16:20:43Z INFO Detected config files num=4
trivy_exitcode=0


Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-12-20T16:20:43Z INFO [vuln] Vulnerability scanning is enabled
2024-12-20T16:20:43Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-20T16:20:43Z INFO [secret] Secret scanning is enabled
2024-12-20T16:20:43Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T16:20:43Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T16:20:44Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-20T16:20:44Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, domain_join_ports, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-12-20T16:20:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_egress_rule.domain_join" value="cty.NilVal"
2024-12-20T16:20:44Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:44Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:44Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:44Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-20T16:20:46Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:46Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-12-20T16:20:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-12-20T16:20:53Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-12-20T16:20:53Z INFO Number of language-specific files num=0
2024-12-20T16:20:53Z INFO Detected config files num=15

sg_shared.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0107 (HIGH): Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
sg_shared.tf:29
via sg_shared.tf:27-33 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
27 resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
28 security_group_id = aws_security_group.mis_ec2_shared.id
29 [ cidr_ipv4 = "0.0.0.0/0"
30 ip_protocol = "tcp"
31 from_port = 3389
32 to_port = 3389
33 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-20 16:20:56,338 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-20 16:20:56,338 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 3, Skipped checks: 19

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /backup_vault.tf:18-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /backup_vault.tf:18-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups_inventory
	File: /s3.tf:189-227
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-20 16:21:00,193 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-12-20 16:21:00,193 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-20 16:21:00,193 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=49e289239aec2845924f00fc5969f35ae76122e2:None (for external modules, the --download-external-modules flag is required)
2024-12-20 16:21:00,193 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 977, Failed checks: 30, Skipped checks: 80

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bcs" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bcs"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bps" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bps"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bws" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bws"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "dis" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-dis"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "pagerduty_core_alerts" {
		13 | 
		14 |   depends_on = [
		15 |     aws_sns_topic.delius_mis_alarms
		16 |   ]
		17 | 
		18 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		19 |   sns_topics                = [aws_sns_topic.delius_mis_alarms.name]
		20 |   pagerduty_integration_key = var.pagerduty_integration_key
		21 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_mis_alarms
	File: /pagerduty.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1  | resource "aws_sns_topic" "delius_mis_alarms" {
		2  |   name = "${var.app_name}-${var.env_name}-sns-topic"
		3  | 
		4  |   tags = merge(
		5  |     var.tags,
		6  |     {
		7  |       Name = "${var.app_name}-${var.env_name}-sns-topic"
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.icmp
	File: /sg_legacy.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_ingress_rule" "icmp" {
		10 |   security_group_id = aws_security_group.legacy.id
		11 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		12 |   ip_protocol       = "icmp"
		13 |   from_port         = -1
		14 |   to_port           = -1
		15 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.icmp
	File: /sg_legacy.tf:17-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		17 | resource "aws_vpc_security_group_egress_rule" "icmp" {
		18 |   security_group_id = aws_security_group.legacy.id
		19 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		20 |   ip_protocol       = "icmp"
		21 |   from_port         = -1
		22 |   to_port           = -1
		23 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s["80"]
	File: /sg_shared.tf:9-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		10 |   for_each = toset(["80", "443"])
		11 | 
		12 |   security_group_id = aws_security_group.mis_ec2_shared.id
		13 |   cidr_ipv4         = "0.0.0.0/0"
		14 |   ip_protocol       = "tcp"
		15 |   from_port         = each.key
		16 |   to_port           = each.key
		17 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.fleet_manager
	File: /sg_shared.tf:19-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		19 | resource "aws_vpc_security_group_egress_rule" "fleet_manager" {
		20 |   security_group_id = aws_security_group.mis_ec2_shared.id
		21 |   cidr_ipv4         = "0.0.0.0/0"
		22 |   ip_protocol       = "tcp"
		23 |   from_port         = 3389
		24 |   to_port           = 3389
		25 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		27 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		28 |   security_group_id = aws_security_group.mis_ec2_shared.id
		29 |   cidr_ipv4         = "0.0.0.0/0"
		30 |   ip_protocol       = "tcp"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		27 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		28 |   security_group_id = aws_security_group.mis_ec2_shared.id
		29 |   cidr_ipv4         = "0.0.0.0/0"
		30 |   ip_protocol       = "tcp"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.domain_join
	File: /sg_shared.tf:35-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		35 | resource "aws_vpc_security_group_egress_rule" "domain_join" {
		36 |   for_each                     = { for port in var.domain_join_ports : "${port.protocol}_${port.from_port}" => port }
		37 |   from_port                    = each.value.from_port
		38 |   to_port                      = each.value.to_port
		39 |   ip_protocol                  = each.value.protocol
		40 |   security_group_id            = aws_security_group.mis_ec2_shared.id
		41 |   referenced_security_group_id = aws_directory_service_directory.mis_ad.security_group_id
		42 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s["443"]
	File: /sg_shared.tf:9-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		10 |   for_each = toset(["80", "443"])
		11 | 
		12 |   security_group_id = aws_security_group.mis_ec2_shared.id
		13 |   cidr_ipv4         = "0.0.0.0/0"
		14 |   ip_protocol       = "tcp"
		15 |   from_port         = each.key
		16 |   to_port           = each.key
		17 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:4-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		4  | module "s3_bucket_ssm_sessions" {
		5  | 
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		9  |   versioning_enabled = false
		10 | 
		11 |   providers = {
		12 |     aws.bucket-replication = aws
		13 |   }
		14 | 
		15 |   tags = var.tags
		16 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_username
	File: /secrets.tf:3-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "ad_username" {
		4 |   #checkov:skip=CKV_AWS_149 "ignore"
		5 |   name                    = "${var.env_name}-legacy-ad-username"
		6 |   recovery_window_in_days = 0
		7 | 
		8 |   tags = var.tags
		9 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:12-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "ad_password" {
		13 |   #checkov:skip=CKV_AWS_149 "ignore"
		14 |   name                    = "${var.env_name}-legacy-ad-password"
		15 |   recovery_window_in_days = 0
		16 | 
		17 |   tags = var.tags
		18 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10:
  10:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 74:
  74:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 87:
  87:       "${module.s3_bucket_oracledb_backups_inventory.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 126:
 126:         "${module.s3_bucket_oracle_statistics[0].bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 241:
 241:       values   = ["${var.account_info.id}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 253:
 253:       values   = ["${module.s3_bucket_oracledb_backups.bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 294:
 294:     resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-12-20T16:20:37Z	INFO	[vulndb] Need to update DB
2024-12-20T16:20:37Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-20T16:20:37Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T16:20:39Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T16:20:39Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T16:20:39Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-20T16:20:39Z	INFO	[misconfig] Need to update the built-in checks
2024-12-20T16:20:39Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-20T16:20:40Z	INFO	[secret] Secret scanning is enabled
2024-12-20T16:20:40Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T16:20:40Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T16:20:41Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-20T16:20:41Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, instance_roles, platform_vars, public_keys, tags"
2024-12-20T16:20:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:43Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-12-20T16:20:43Z	INFO	Number of language-specific files	num=0
2024-12-20T16:20:43Z	INFO	Detected config files	num=4
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-12-20T16:20:43Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T16:20:43Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-20T16:20:43Z	INFO	[secret] Secret scanning is enabled
2024-12-20T16:20:43Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T16:20:43Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T16:20:44Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-20T16:20:44Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, domain_join_ports, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-12-20T16:20:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_egress_rule.domain_join" value="cty.NilVal"
2024-12-20T16:20:44Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:44Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:44Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:44Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-20T16:20:46Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:46Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-12-20T16:20:48Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-12-20T16:20:53Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-12-20T16:20:53Z	INFO	Number of language-specific files	num=0
2024-12-20T16:20:53Z	INFO	Detected config files	num=15

sg_shared.tf (terraform)
========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0107 (HIGH): Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 sg_shared.tf:29
   via sg_shared.tf:27-33 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
  27   resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
  28     security_group_id = aws_security_group.mis_ec2_shared.id
  29 [   cidr_ipv4         = "0.0.0.0/0"
  30     ip_protocol       = "tcp"
  31     from_port         = 3389
  32     to_port           = 3389
  33   }
────────────────────────────────────────


trivy_exitcode=1

@bill-buchan bill-buchan had a problem deploying to delius-mis-development December 20, 2024 16:34 — with GitHub Actions Failure
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-12-20T16:35:00Z INFO [vulndb] Need to update DB
2024-12-20T16:35:00Z INFO [vulndb] Downloading vulnerability DB...
2024-12-20T16:35:00Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T16:35:03Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T16:35:03Z INFO [vuln] Vulnerability scanning is enabled
2024-12-20T16:35:03Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-20T16:35:03Z INFO [misconfig] Need to update the built-in checks
2024-12-20T16:35:03Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-20T16:35:03Z INFO [secret] Secret scanning is enabled
2024-12-20T16:35:03Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T16:35:03Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T16:35:04Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-20T16:35:04Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, instance_roles, platform_vars, public_keys, tags"
2024-12-20T16:35:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:06Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-12-20T16:35:06Z INFO Number of language-specific files num=0
2024-12-20T16:35:06Z INFO Detected config files num=4
trivy_exitcode=0


Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-12-20T16:35:06Z INFO [vuln] Vulnerability scanning is enabled
2024-12-20T16:35:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-20T16:35:06Z INFO [secret] Secret scanning is enabled
2024-12-20T16:35:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T16:35:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T16:35:07Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-20T16:35:07Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, domain_join_ports, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-12-20T16:35:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_egress_rule.domain_join" value="cty.NilVal"
2024-12-20T16:35:07Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:07Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:07Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:07Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-20T16:35:08Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:08Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-12-20T16:35:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:35:15Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:35:15Z INFO Number of language-specific files num=0
2024-12-20T16:35:15Z INFO Detected config files num=15

sg_shared.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0107 (HIGH): Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
sg_shared.tf:29
via sg_shared.tf:27-33 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
27 resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
28 security_group_id = aws_security_group.mis_ec2_shared.id
29 [ cidr_ipv4 = "0.0.0.0/0"
30 ip_protocol = "tcp"
31 from_port = 3389
32 to_port = 3389
33 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-20 16:35:17,581 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-20 16:35:17,581 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 3, Skipped checks: 19

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /backup_vault.tf:18-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /backup_vault.tf:18-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups_inventory
	File: /s3.tf:189-227
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-20 16:35:20,548 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-12-20 16:35:20,549 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-20 16:35:20,549 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=49e289239aec2845924f00fc5969f35ae76122e2:None (for external modules, the --download-external-modules flag is required)
2024-12-20 16:35:20,549 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 977, Failed checks: 30, Skipped checks: 80

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bcs" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bcs"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bps" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bps"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bws" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bws"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "dis" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-dis"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_mis_alarms
	File: /pagerduty.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1  | resource "aws_sns_topic" "delius_mis_alarms" {
		2  |   name = "${var.app_name}-${var.env_name}-sns-topic"
		3  | 
		4  |   tags = merge(
		5  |     var.tags,
		6  |     {
		7  |       Name = "${var.app_name}-${var.env_name}-sns-topic"
		8  |     }
		9  |   )
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "pagerduty_core_alerts" {
		13 | 
		14 |   depends_on = [
		15 |     aws_sns_topic.delius_mis_alarms
		16 |   ]
		17 | 
		18 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		19 |   sns_topics                = [aws_sns_topic.delius_mis_alarms.name]
		20 |   pagerduty_integration_key = var.pagerduty_integration_key
		21 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.icmp
	File: /sg_legacy.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_ingress_rule" "icmp" {
		10 |   security_group_id = aws_security_group.legacy.id
		11 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		12 |   ip_protocol       = "icmp"
		13 |   from_port         = -1
		14 |   to_port           = -1
		15 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.icmp
	File: /sg_legacy.tf:17-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		17 | resource "aws_vpc_security_group_egress_rule" "icmp" {
		18 |   security_group_id = aws_security_group.legacy.id
		19 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		20 |   ip_protocol       = "icmp"
		21 |   from_port         = -1
		22 |   to_port           = -1
		23 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s["80"]
	File: /sg_shared.tf:9-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		10 |   for_each = toset(["80", "443"])
		11 | 
		12 |   security_group_id = aws_security_group.mis_ec2_shared.id
		13 |   cidr_ipv4         = "0.0.0.0/0"
		14 |   ip_protocol       = "tcp"
		15 |   from_port         = each.key
		16 |   to_port           = each.key
		17 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.fleet_manager
	File: /sg_shared.tf:19-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		19 | resource "aws_vpc_security_group_egress_rule" "fleet_manager" {
		20 |   security_group_id = aws_security_group.mis_ec2_shared.id
		21 |   cidr_ipv4         = "0.0.0.0/0"
		22 |   ip_protocol       = "tcp"
		23 |   from_port         = 3389
		24 |   to_port           = 3389
		25 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		27 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		28 |   security_group_id = aws_security_group.mis_ec2_shared.id
		29 |   cidr_ipv4         = "0.0.0.0/0"
		30 |   ip_protocol       = "tcp"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		27 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		28 |   security_group_id = aws_security_group.mis_ec2_shared.id
		29 |   cidr_ipv4         = "0.0.0.0/0"
		30 |   ip_protocol       = "tcp"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.domain_join
	File: /sg_shared.tf:35-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		35 | resource "aws_vpc_security_group_egress_rule" "domain_join" {
		36 |   for_each                     = { for port in var.domain_join_ports : "${port.protocol}_${port.from_port}" => port }
		37 |   from_port                    = each.value.from_port
		38 |   to_port                      = each.value.to_port
		39 |   ip_protocol                  = each.value.protocol
		40 |   security_group_id            = aws_security_group.mis_ec2_shared.id
		41 |   referenced_security_group_id = aws_directory_service_directory.mis_ad.security_group_id
		42 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s["443"]
	File: /sg_shared.tf:9-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		10 |   for_each = toset(["80", "443"])
		11 | 
		12 |   security_group_id = aws_security_group.mis_ec2_shared.id
		13 |   cidr_ipv4         = "0.0.0.0/0"
		14 |   ip_protocol       = "tcp"
		15 |   from_port         = each.key
		16 |   to_port           = each.key
		17 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:4-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		4  | module "s3_bucket_ssm_sessions" {
		5  | 
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		9  |   versioning_enabled = false
		10 | 
		11 |   providers = {
		12 |     aws.bucket-replication = aws
		13 |   }
		14 | 
		15 |   tags = var.tags
		16 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_username
	File: /secrets.tf:3-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "ad_username" {
		4 |   #checkov:skip=CKV_AWS_149 "ignore"
		5 |   name                    = "${var.env_name}-legacy-ad-username"
		6 |   recovery_window_in_days = 0
		7 | 
		8 |   tags = var.tags
		9 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:12-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "ad_password" {
		13 |   #checkov:skip=CKV_AWS_149 "ignore"
		14 |   name                    = "${var.env_name}-legacy-ad-password"
		15 |   recovery_window_in_days = 0
		16 | 
		17 |   tags = var.tags
		18 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10:
  10:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 74:
  74:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 87:
  87:       "${module.s3_bucket_oracledb_backups_inventory.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 126:
 126:         "${module.s3_bucket_oracle_statistics[0].bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 241:
 241:       values   = ["${var.account_info.id}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 253:
 253:       values   = ["${module.s3_bucket_oracledb_backups.bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 294:
 294:     resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-12-20T16:35:00Z	INFO	[vulndb] Need to update DB
2024-12-20T16:35:00Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-20T16:35:00Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T16:35:03Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T16:35:03Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T16:35:03Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-20T16:35:03Z	INFO	[misconfig] Need to update the built-in checks
2024-12-20T16:35:03Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-20T16:35:03Z	INFO	[secret] Secret scanning is enabled
2024-12-20T16:35:03Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T16:35:03Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T16:35:04Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-20T16:35:04Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, instance_roles, platform_vars, public_keys, tags"
2024-12-20T16:35:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:06Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-12-20T16:35:06Z	INFO	Number of language-specific files	num=0
2024-12-20T16:35:06Z	INFO	Detected config files	num=4
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-12-20T16:35:06Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T16:35:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-20T16:35:06Z	INFO	[secret] Secret scanning is enabled
2024-12-20T16:35:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T16:35:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T16:35:07Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-20T16:35:07Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, domain_join_ports, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-12-20T16:35:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_egress_rule.domain_join" value="cty.NilVal"
2024-12-20T16:35:07Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:07Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:07Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:07Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-20T16:35:08Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:08Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-12-20T16:35:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:35:15Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T16:35:15Z	INFO	Number of language-specific files	num=0
2024-12-20T16:35:15Z	INFO	Detected config files	num=15

sg_shared.tf (terraform)
========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0107 (HIGH): Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 sg_shared.tf:29
   via sg_shared.tf:27-33 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
  27   resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
  28     security_group_id = aws_security_group.mis_ec2_shared.id
  29 [   cidr_ipv4         = "0.0.0.0/0"
  30     ip_protocol       = "tcp"
  31     from_port         = 3389
  32     to_port           = 3389
  33   }
────────────────────────────────────────


trivy_exitcode=1

@bill-buchan bill-buchan had a problem deploying to delius-mis-development December 20, 2024 16:41 — with GitHub Actions Failure
@bill-buchan bill-buchan had a problem deploying to delius-mis-development December 20, 2024 16:55 — with GitHub Actions Failure
@bill-buchan bill-buchan had a problem deploying to delius-mis-development December 20, 2024 17:02 — with GitHub Actions Failure
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-12-20T17:02:46Z INFO [vulndb] Need to update DB
2024-12-20T17:02:46Z INFO [vulndb] Downloading vulnerability DB...
2024-12-20T17:02:46Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T17:02:48Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T17:02:48Z INFO [vuln] Vulnerability scanning is enabled
2024-12-20T17:02:48Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-20T17:02:48Z INFO [misconfig] Need to update the built-in checks
2024-12-20T17:02:48Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-20T17:02:49Z INFO [secret] Secret scanning is enabled
2024-12-20T17:02:49Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T17:02:49Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T17:02:50Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-20T17:02:50Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, instance_roles, platform_vars, public_keys, tags"
2024-12-20T17:02:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:51Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-12-20T17:02:51Z INFO Number of language-specific files num=0
2024-12-20T17:02:51Z INFO Detected config files num=4
trivy_exitcode=0


Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-12-20T17:02:51Z INFO [vuln] Vulnerability scanning is enabled
2024-12-20T17:02:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-20T17:02:51Z INFO [secret] Secret scanning is enabled
2024-12-20T17:02:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T17:02:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T17:02:52Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-20T17:02:52Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, domain_join_ports, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-12-20T17:02:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_egress_rule.domain_join" value="cty.NilVal"
2024-12-20T17:02:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-12-20T17:02:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-12-20T17:02:59Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-12-20T17:02:59Z INFO Number of language-specific files num=0
2024-12-20T17:02:59Z INFO Detected config files num=15

sg_shared.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0107 (HIGH): Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
sg_shared.tf:29
via sg_shared.tf:27-33 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
27 resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
28 security_group_id = aws_security_group.mis_ec2_shared.id
29 [ cidr_ipv4 = "0.0.0.0/0"
30 ip_protocol = "tcp"
31 from_port = 3389
32 to_port = 3389
33 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-20 17:03:02,187 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-20 17:03:02,187 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 3, Skipped checks: 19

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /backup_vault.tf:18-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /backup_vault.tf:18-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups_inventory
	File: /s3.tf:189-227
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-20 17:03:04,927 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-12-20 17:03:04,927 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-20 17:03:04,927 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=49e289239aec2845924f00fc5969f35ae76122e2:None (for external modules, the --download-external-modules flag is required)
2024-12-20 17:03:04,927 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 977, Failed checks: 30, Skipped checks: 80

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bcs" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bcs"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bps" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bps"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bws" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bws"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "dis" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-dis"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_mis_alarms
	File: /pagerduty.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1  | resource "aws_sns_topic" "delius_mis_alarms" {
		2  |   name = "${var.app_name}-${var.env_name}-sns-topic"
		3  | 
		4  |   tags = merge(
		5  |     var.tags,
		6  |     {
		7  |       Name = "${var.app_name}-${var.env_name}-sns-topic"
		8  |     }
		9  |   )
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "pagerduty_core_alerts" {
		13 | 
		14 |   depends_on = [
		15 |     aws_sns_topic.delius_mis_alarms
		16 |   ]
		17 | 
		18 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		19 |   sns_topics                = [aws_sns_topic.delius_mis_alarms.name]
		20 |   pagerduty_integration_key = var.pagerduty_integration_key
		21 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.icmp
	File: /sg_legacy.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_ingress_rule" "icmp" {
		10 |   security_group_id = aws_security_group.legacy.id
		11 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		12 |   ip_protocol       = "icmp"
		13 |   from_port         = -1
		14 |   to_port           = -1
		15 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.icmp
	File: /sg_legacy.tf:17-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		17 | resource "aws_vpc_security_group_egress_rule" "icmp" {
		18 |   security_group_id = aws_security_group.legacy.id
		19 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		20 |   ip_protocol       = "icmp"
		21 |   from_port         = -1
		22 |   to_port           = -1
		23 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s["80"]
	File: /sg_shared.tf:9-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		10 |   for_each = toset(["80", "443"])
		11 | 
		12 |   security_group_id = aws_security_group.mis_ec2_shared.id
		13 |   cidr_ipv4         = "0.0.0.0/0"
		14 |   ip_protocol       = "tcp"
		15 |   from_port         = each.key
		16 |   to_port           = each.key
		17 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.fleet_manager
	File: /sg_shared.tf:19-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		19 | resource "aws_vpc_security_group_egress_rule" "fleet_manager" {
		20 |   security_group_id = aws_security_group.mis_ec2_shared.id
		21 |   cidr_ipv4         = "0.0.0.0/0"
		22 |   ip_protocol       = "tcp"
		23 |   from_port         = 3389
		24 |   to_port           = 3389
		25 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		27 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		28 |   security_group_id = aws_security_group.mis_ec2_shared.id
		29 |   cidr_ipv4         = "0.0.0.0/0"
		30 |   ip_protocol       = "tcp"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		27 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		28 |   security_group_id = aws_security_group.mis_ec2_shared.id
		29 |   cidr_ipv4         = "0.0.0.0/0"
		30 |   ip_protocol       = "tcp"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.domain_join
	File: /sg_shared.tf:35-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		35 | resource "aws_vpc_security_group_egress_rule" "domain_join" {
		36 |   for_each                     = { for port in var.domain_join_ports : "${port.protocol}_${port.from_port}" => port }
		37 |   from_port                    = each.value.from_port
		38 |   to_port                      = each.value.to_port
		39 |   ip_protocol                  = each.value.protocol
		40 |   security_group_id            = aws_security_group.mis_ec2_shared.id
		41 |   referenced_security_group_id = aws_directory_service_directory.mis_ad.security_group_id
		42 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s["443"]
	File: /sg_shared.tf:9-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		10 |   for_each = toset(["80", "443"])
		11 | 
		12 |   security_group_id = aws_security_group.mis_ec2_shared.id
		13 |   cidr_ipv4         = "0.0.0.0/0"
		14 |   ip_protocol       = "tcp"
		15 |   from_port         = each.key
		16 |   to_port           = each.key
		17 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:4-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		4  | module "s3_bucket_ssm_sessions" {
		5  | 
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		9  |   versioning_enabled = false
		10 | 
		11 |   providers = {
		12 |     aws.bucket-replication = aws
		13 |   }
		14 | 
		15 |   tags = var.tags
		16 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy.oracle_ec2_snapshot_backup_role_policy
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-40
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		18 | resource "aws_iam_policy" "oracle_ec2_snapshot_backup_role_policy" {
		19 |   name = "${var.env_name}-${var.db_suffix}-oracle-ec2-snapshot-backup-role-policy"
		20 |   description = "Allow iam:PassRole for AWSBackupDefaultServiceRole"
		21 | 
		22 |   policy = jsonencode({
		23 |     Version = "2012-10-17",
		24 |     Statement = [
		25 |       {
		26 |         Effect   = "Allow",
		27 |         Action   = "iam:PassRole",
		28 |         Resource = "arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"
		29 |       },
		30 |       {
		31 |         Effect  = "Allow"
		32 |         Action  = ["backup:ListBackupVaults",
		33 |                    "backup:StartBackupJob",
		34 |                    "backup:DescribeBackupJob",
		35 |                    "ec2:DescribeSnapshots"],
		36 |         Resource = "*"
		37 |       }
		38 |     ]
		39 |   })
		40 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_username
	File: /secrets.tf:3-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "ad_username" {
		4 |   #checkov:skip=CKV_AWS_149 "ignore"
		5 |   name                    = "${var.env_name}-legacy-ad-username"
		6 |   recovery_window_in_days = 0
		7 | 
		8 |   tags = var.tags
		9 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:12-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "ad_password" {
		13 |   #checkov:skip=CKV_AWS_149 "ignore"
		14 |   name                    = "${var.env_name}-legacy-ad-password"
		15 |   recovery_window_in_days = 0
		16 | 
		17 |   tags = var.tags
		18 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10:
  10:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 74:
  74:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 87:
  87:       "${module.s3_bucket_oracledb_backups_inventory.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 126:
 126:         "${module.s3_bucket_oracle_statistics[0].bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 241:
 241:       values   = ["${var.account_info.id}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 253:
 253:       values   = ["${module.s3_bucket_oracledb_backups.bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 294:
 294:     resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-12-20T17:02:46Z	INFO	[vulndb] Need to update DB
2024-12-20T17:02:46Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-20T17:02:46Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T17:02:48Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-20T17:02:48Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T17:02:48Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-20T17:02:48Z	INFO	[misconfig] Need to update the built-in checks
2024-12-20T17:02:48Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-12-20T17:02:49Z	INFO	[secret] Secret scanning is enabled
2024-12-20T17:02:49Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T17:02:49Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T17:02:50Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-20T17:02:50Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, instance_roles, platform_vars, public_keys, tags"
2024-12-20T17:02:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:51Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-12-20T17:02:51Z	INFO	Number of language-specific files	num=0
2024-12-20T17:02:51Z	INFO	Detected config files	num=4
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-12-20T17:02:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-20T17:02:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-20T17:02:51Z	INFO	[secret] Secret scanning is enabled
2024-12-20T17:02:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-20T17:02:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-20T17:02:52Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-20T17:02:52Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, domain_join_ports, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-12-20T17:02:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_egress_rule.domain_join" value="cty.NilVal"
2024-12-20T17:02:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-12-20T17:02:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-12-20T17:02:59Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-12-20T17:02:59Z	INFO	Number of language-specific files	num=0
2024-12-20T17:02:59Z	INFO	Detected config files	num=15

sg_shared.tf (terraform)
========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0107 (HIGH): Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 sg_shared.tf:29
   via sg_shared.tf:27-33 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
  27   resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
  28     security_group_id = aws_security_group.mis_ec2_shared.id
  29 [   cidr_ipv4         = "0.0.0.0/0"
  30     ip_protocol       = "tcp"
  31     from_port         = 3389
  32     to_port           = 3389
  33   }
────────────────────────────────────────


trivy_exitcode=1

@bill-buchan bill-buchan temporarily deployed to delius-core-development December 20, 2024 17:11 — with GitHub Actions Inactive
georgepstaylor
georgepstaylor previously approved these changes Dec 20, 2024
@bill-buchan bill-buchan had a problem deploying to delius-mis-development December 24, 2024 09:53 — with GitHub Actions Failure
@bill-buchan bill-buchan requested a deployment to delius-mis-development December 24, 2024 16:04 — with GitHub Actions Waiting
@bill-buchan bill-buchan requested a deployment to delius-core-development December 24, 2024 16:04 — with GitHub Actions Waiting
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-core/modules/delius_environment
terraform/environments/delius-mis/modules/mis_environment


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-12-24T16:05:00Z INFO [vulndb] Need to update DB
2024-12-24T16:05:00Z INFO [vulndb] Downloading vulnerability DB...
2024-12-24T16:05:00Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-24T16:05:02Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-24T16:05:02Z INFO [vuln] Vulnerability scanning is enabled
2024-12-24T16:05:02Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-24T16:05:02Z INFO [misconfig] Need to update the built-in checks
2024-12-24T16:05:02Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-24T16:05:03Z INFO [secret] Secret scanning is enabled
2024-12-24T16:05:03Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-24T16:05:03Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-24T16:05:04Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-24T16:05:04Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags"
2024-12-24T16:05:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:05Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-12-24T16:05:05Z INFO Number of language-specific files num=0
2024-12-24T16:05:05Z INFO Detected config files num=5
trivy_exitcode=0


Running Trivy in terraform/environments/delius-core/modules/delius_environment
2024-12-24T16:05:05Z INFO [vuln] Vulnerability scanning is enabled
2024-12-24T16:05:05Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-24T16:05:05Z INFO [secret] Secret scanning is enabled
2024-12-24T16:05:05Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-24T16:05:05Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-24T16:05:07Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-24T16:05:07Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, db_config, delius_microservice_configs, dms_config, env_name, env_name_to_dms_config_map, environment_config, platform_vars, tags"
2024-12-24T16:05:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.alfresco_sfs_alb" value="cty.NilVal"
2024-12-24T16:05:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.ancillary_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-12-24T16:05:07Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.delius_core_frontend_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-12-24T16:05:08Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open cluster: no such file or directory"
2024-12-24T16:05:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.alfresco_efs.aws_efs_mount_target.this" value="cty.NilVal"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ldap.module.efs.aws_efs_mount_target.this" value="cty.NilVal"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.ldap.module.s3_bucket_ldap_data_refresh.data.aws_iam_policy_document.bucket_policy_v2" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.bucket_policy_v2.dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.ldap.module.s3_bucket_ldap_data_refresh.data.aws_iam_policy_document.bucket_policy_v2" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.bucket_policy_v2.dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-24T16:05:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_cloudwatch_metric_alarm.dms_cdc_latency_source" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_cloudwatch_metric_alarm.dms_cdc_latency_target" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_replication_task.audited_interaction_checksum_inbound_replication" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_replication_task.audited_interaction_inbound_replication" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_replication_task.business_interaction_inbound_replication" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_replication_task.user_outbound_replication" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_s3_endpoint.dms_audit_source_endpoint_s3" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dms[0].aws_dms_s3_endpoint.dms_user_target_endpoint_s3" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_primary[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_primary[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_primary[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_standby[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_standby[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_standby[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:20Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-24T16:05:20Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-24T16:05:20Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-24T16:05:20Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="alb_frontend.tf:43"
2024-12-24T16:05:20Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="alb_ancillary.tf:45"
2024-12-24T16:05:20Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../components/oracle_db_shared/sg.tf:16"
2024-12-24T16:05:20Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:20Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:20Z INFO Number of language-specific files num=0
2024-12-24T16:05:20Z INFO Detected config files num=18

(terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────

trivy_exitcode=1


Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-12-24T16:05:20Z INFO [vuln] Vulnerability scanning is enabled
2024-12-24T16:05:20Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-24T16:05:20Z INFO [secret] Secret scanning is enabled
2024-12-24T16:05:20Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-24T16:05:20Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-24T16:05:21Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-24T16:05:21Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, domain_join_ports, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_egress_rule.domain_join" value="cty.NilVal"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand dynamic block. block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-12-24T16:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.schedule_alarms[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:27Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:27Z INFO Number of language-specific files num=0
2024-12-24T16:05:27Z INFO Detected config files num=16

sg_shared.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0107 (HIGH): Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
sg_shared.tf:29
via sg_shared.tf:27-33 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
27 resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
28 security_group_id = aws_security_group.mis_ec2_shared.id
29 [ cidr_ipv4 = "0.0.0.0/0"
30 ip_protocol = "tcp"
31 from_port = 3389
32 to_port = 3389
33 }
────────────────────────────────────────

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-core/modules/delius_environment
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-24 16:05:29,748 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-24 16:05:29,749 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 250, Failed checks: 3, Skipped checks: 19

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /backup_vault.tf:18-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /backup_vault.tf:18-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups_inventory
	File: /s3.tf:189-227
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-core/modules/delius_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-24 16:05:32,612 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-12-24 16:05:32,612 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-12-24 16:05:32,613 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-24 16:05:32,613 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1536, Failed checks: 147, Skipped checks: 62

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:238-254
	Calling File: /dms.tf:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		238 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		239 |   function_name    = "dms-replication-metric-publisher"
		240 |   role             = aws_iam_role.lambda_put_metric_data_role.arn
		241 |   handler          = "dms_replication_metric.lambda_handler"
		242 |   runtime          = "python3.8"
		243 |   filename         = data.archive_file.lambda_dms_replication_metric_zip.output_path
		244 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		245 |   environment {
		246 |     variables = {
		247 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		248 |       METRIC_NAME      = "DMSReplicationFailure"
		249 |       TZ               = "Europe/London"
		250 |     }
		251 |   }
		252 | 
		253 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		254 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:238-254
	Calling File: /dms.tf:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		238 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		239 |   function_name    = "dms-replication-metric-publisher"
		240 |   role             = aws_iam_role.lambda_put_metric_data_role.arn
		241 |   handler          = "dms_replication_metric.lambda_handler"
		242 |   runtime          = "python3.8"
		243 |   filename         = data.archive_file.lambda_dms_replication_metric_zip.output_path
		244 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		245 |   environment {
		246 |     variables = {
		247 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		248 |       METRIC_NAME      = "DMSReplicationFailure"
		249 |       TZ               = "Europe/London"
		250 |     }
		251 |   }
		252 | 
		253 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		254 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:238-254
	Calling File: /dms.tf:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		238 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		239 |   function_name    = "dms-replication-metric-publisher"
		240 |   role             = aws_iam_role.lambda_put_metric_data_role.arn
		241 |   handler          = "dms_replication_metric.lambda_handler"
		242 |   runtime          = "python3.8"
		243 |   filename         = data.archive_file.lambda_dms_replication_metric_zip.output_path
		244 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		245 |   environment {
		246 |     variables = {
		247 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		248 |       METRIC_NAME      = "DMSReplicationFailure"
		249 |       TZ               = "Europe/London"
		250 |     }
		251 |   }
		252 | 
		253 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		254 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:238-254
	Calling File: /dms.tf:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		238 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		239 |   function_name    = "dms-replication-metric-publisher"
		240 |   role             = aws_iam_role.lambda_put_metric_data_role.arn
		241 |   handler          = "dms_replication_metric.lambda_handler"
		242 |   runtime          = "python3.8"
		243 |   filename         = data.archive_file.lambda_dms_replication_metric_zip.output_path
		244 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		245 |   environment {
		246 |     variables = {
		247 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		248 |       METRIC_NAME      = "DMSReplicationFailure"
		249 |       TZ               = "Europe/London"
		250 |     }
		251 |   }
		252 | 
		253 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		254 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:238-254
	Calling File: /dms.tf:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		238 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		239 |   function_name    = "dms-replication-metric-publisher"
		240 |   role             = aws_iam_role.lambda_put_metric_data_role.arn
		241 |   handler          = "dms_replication_metric.lambda_handler"
		242 |   runtime          = "python3.8"
		243 |   filename         = data.archive_file.lambda_dms_replication_metric_zip.output_path
		244 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		245 |   environment {
		246 |     variables = {
		247 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		248 |       METRIC_NAME      = "DMSReplicationFailure"
		249 |       TZ               = "Europe/London"
		250 |     }
		251 |   }
		252 | 
		253 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		254 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.dms.aws_lambda_function.dms_replication_metric_publisher
	File: /../components/dms/cloudwatch-alarms.tf:238-254
	Calling File: /dms.tf:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		238 | resource "aws_lambda_function" "dms_replication_metric_publisher" {
		239 |   function_name    = "dms-replication-metric-publisher"
		240 |   role             = aws_iam_role.lambda_put_metric_data_role.arn
		241 |   handler          = "dms_replication_metric.lambda_handler"
		242 |   runtime          = "python3.8"
		243 |   filename         = data.archive_file.lambda_dms_replication_metric_zip.output_path
		244 |   source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256
		245 |   environment {
		246 |     variables = {
		247 |       METRIC_NAMESPACE = "CustomDMSMetrics",
		248 |       METRIC_NAME      = "DMSReplicationFailure"
		249 |       TZ               = "Europe/London"
		250 |     }
		251 |   }
		252 | 
		253 |   depends_on = [data.archive_file.lambda_dms_replication_metric_zip]
		254 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.dms.aws_sns_topic.dms_events_topic
	File: /../components/dms/cloudwatch-alarms.tf:294-300
	Calling File: /dms.tf:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		294 | resource "aws_sns_topic" "dms_events_topic" {
		295 |   name = "delius-dms-events-topic"
		296 | 
		297 |   lambda_success_feedback_role_arn    = aws_iam_role.sns_logging_role.arn
		298 |   lambda_success_feedback_sample_rate = 100
		299 |   lambda_failure_feedback_role_arn    = aws_iam_role.sns_logging_role.arn
		300 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /../components/oracle_db_shared/backup_vault.tf:18-32
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /../components/oracle_db_shared/backup_vault.tf:18-32
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:189-227
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /alb_frontend.tf:38-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		38 | resource "aws_lb" "delius_core_frontend" {
		39 |   #checkov:skip=CKV_AWS_91 "ignore"
		40 |   #checkov:skip=CKV2_AWS_28 "ignore"
		41 | 
		42 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		43 |   internal           = false
		44 |   load_balancer_type = "application"
		45 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		46 |   subnets            = var.account_config.public_subnet_ids
		47 | 
		48 |   enable_deletion_protection = false
		49 |   drop_invalid_header_fields = true
		50 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.alfresco_sfs
	File: /alfresco.tf:238-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		238 | resource "aws_lb" "alfresco_sfs" {
		239 |   name               = "${var.app_name}-${var.env_name}-alf-sfs-alb"
		240 |   internal           = true
		241 |   load_balancer_type = "application"
		242 |   security_groups    = [aws_security_group.alfresco_sfs_alb.id]
		243 |   subnets            = var.account_config.private_subnet_ids
		244 | 
		245 |   enable_deletion_protection = false
		246 |   drop_invalid_header_fields = true
		247 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.alfresco_sfs
	File: /alfresco.tf:238-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		238 | resource "aws_lb" "alfresco_sfs" {
		239 |   name               = "${var.app_name}-${var.env_name}-alf-sfs-alb"
		240 |   internal           = true
		241 |   load_balancer_type = "application"
		242 |   security_groups    = [aws_security_group.alfresco_sfs_alb.id]
		243 |   subnets            = var.account_config.private_subnet_ids
		244 | 
		245 |   enable_deletion_protection = false
		246 |   drop_invalid_header_fields = true
		247 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /common_ecs.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.3.0"
		3 | 
		4 |   name = "delius-core-${var.env_name}-cluster"
		5 | 
		6 |   tags = local.tags
		7 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.cluster
	File: /common_ecs.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_security_group" "cluster" {
		10 |   name_prefix = "ecs-cluster-${var.env_name}"
		11 |   vpc_id      = var.account_config.shared_vpc_id
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /ldap_ecs.tf:356-360
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		356 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		357 |   name              = "/ecs/ldap-automation-${var.env_name}"
		358 |   retention_in_days = 7
		359 |   tags              = var.tags
		360 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /ldap_ecs.tf:356-360
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		356 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		357 |   name              = "/ecs/ldap-automation-${var.env_name}"
		358 |   retention_in_days = 7
		359 |   tags              = var.tags
		360 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.pdfcreation_secret
	File: /newtech.tf:53-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "pdfcreation_secret" {
		54 |   name  = "/${var.env_name}/delius/newtech/web/params_secret_key"
		55 |   type  = "SecureString"
		56 |   value = "DEFAULT"
		57 |   lifecycle {
		58 |     ignore_changes = [value]
		59 |   }
		60 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:8-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		8  | module "pagerduty_core_alerts" {
		9  | 
		10 |   depends_on = [
		11 |     aws_sns_topic.delius_core_alarms
		12 |   ]
		13 | 
		14 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		15 |   sns_topics                = [aws_sns_topic.delius_core_alarms.name]
		16 |   pagerduty_integration_key = var.pagerduty_integration_key
		17 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_core_alarms
	File: /pagerduty.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		2 | resource "aws_sns_topic" "delius_core_alarms" {
		3 |   name = "delius-core-${var.env_name}-alarms-topic"
		4 |   tags = var.tags
		5 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.security_key
	File: /pwm.tf:130-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		130 | resource "aws_ssm_parameter" "security_key" {
		131 |   name  = "/${var.env_name}/pwm/security_key"
		132 |   type  = "SecureString"
		133 |   value = random_id.security_key.hex
		134 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.pwm_ses_smtp_user
	File: /pwm.tf:197-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		197 | resource "aws_iam_user" "pwm_ses_smtp_user" {
		198 |   name = "${var.env_name}-pwm-smtp-user"
		199 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.pwm_ses_smtp_user
	File: /pwm.tf:205-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		205 | resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
		206 |   name = "${var.env_name}-pwm-ses-smtp-user-policy"
		207 |   user = aws_iam_user.pwm_ses_smtp_user.name
		208 | 
		209 |   policy = jsonencode({
		210 |     Version = "2012-10-17",
		211 |     Statement = [
		212 |       {
		213 |         Effect = "Allow",
		214 |         Action = [
		215 |           "ses:SendRawEmail",
		216 |           "ses:SendEmail"
		217 |         ],
		218 |         Resource = "*"
		219 |       }
		220 |     ]
		221 |   })
		222 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.pwm_ses_smtp_user
	File: /pwm.tf:205-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		205 | resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
		206 |   name = "${var.env_name}-pwm-ses-smtp-user-policy"
		207 |   user = aws_iam_user.pwm_ses_smtp_user.name
		208 | 
		209 |   policy = jsonencode({
		210 |     Version = "2012-10-17",
		211 |     Statement = [
		212 |       {
		213 |         Effect = "Allow",
		214 |         Action = [
		215 |           "ses:SendRawEmail",
		216 |           "ses:SendEmail"
		217 |         ],
		218 |         Resource = "*"
		219 |       }
		220 |     ]
		221 |   })
		222 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.pwm_ses_smtp_user
	File: /pwm.tf:224-234
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		224 | resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
		225 |   name = "/${var.env_name}/pwm/ses_smtp"
		226 |   type = "SecureString"
		227 |   value = jsonencode({
		228 |     user              = aws_iam_user.pwm_ses_smtp_user.name,
		229 |     key               = aws_iam_access_key.pwm_ses_smtp_user.id,
		230 |     secret            = aws_iam_access_key.pwm_ses_smtp_user.secret
		231 |     ses_smtp_user     = aws_iam_access_key.pwm_ses_smtp_user.id
		232 |     ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
		233 |   })
		234 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:358-370
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		358 | module "s3_bucket_ssm_sessions" {
		359 | 
		360 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		361 | 
		362 |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		363 |   versioning_enabled = false
		364 | 
		365 |   providers = {
		366 |     aws.bucket-replication = aws
		367 |   }
		368 | 
		369 |   tags = var.tags
		370 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_host
	File: /ssm.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		29 | resource "aws_ssm_parameter" "ldap_host" {
		30 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		31 |   type  = "SecureString"
		32 |   value = module.ldap_ecs.nlb_dns_name
		33 |   lifecycle {
		34 |     ignore_changes = [
		35 |       value
		36 |     ]
		37 |   }
		38 |   tags = var.tags
		39 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:41-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		41 | resource "aws_ssm_parameter" "ldap_admin_password" {
		42 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		43 |   type  = "SecureString"
		44 |   value = "INITIAL_VALUE_OVERRIDDEN"
		45 |   lifecycle {
		46 |     ignore_changes = [
		47 |       value
		48 |     ]
		49 |   }
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_seed_uri
	File: /ssm.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "ldap_seed_uri" {
		54 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_principal
	File: /ssm.tf:65-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		65 | resource "aws_ssm_parameter" "ldap_principal" {
		66 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		67 |   type  = "SecureString"
		68 |   value = "INITIAL_VALUE_OVERRIDDEN"
		69 |   lifecycle {
		70 |     ignore_changes = [
		71 |       value
		72 |     ]
		73 |   }
		74 |   tags = var.tags
		75 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_rbac_version
	File: /ssm.tf:77-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		77 | resource "aws_ssm_parameter" "ldap_rbac_version" {
		78 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		79 |   type  = "SecureString"
		80 |   value = "INITIAL_VALUE_OVERRIDDEN"
		81 |   lifecycle {
		82 |     ignore_changes = [
		83 |       value
		84 |     ]
		85 |   }
		86 |   tags = var.tags
		87 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:89-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		89  | resource "aws_ssm_parameter" "oasys_user" {
		90  |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		91  |   type  = "SecureString"
		92  |   value = "INITIAL_VALUE_OVERRIDDEN"
		93  |   lifecycle {
		94  |     ignore_changes = [
		95  |       value
		96  |     ]
		97  |   }
		98  |   tags = local.tags
		99  | 
		100 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:102-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		102 | resource "aws_ssm_parameter" "oasys_password" {
		103 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		104 |   type  = "SecureString"
		105 |   value = "INITIAL_VALUE_OVERRIDDEN"
		106 |   lifecycle {
		107 |     ignore_changes = [
		108 |       value
		109 |     ]
		110 |   }
		111 |   tags = local.tags
		112 | 
		113 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:115-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		115 | resource "aws_ssm_parameter" "iaps_user" {
		116 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		117 |   type  = "SecureString"
		118 |   value = "INITIAL_VALUE_OVERRIDDEN"
		119 |   lifecycle {
		120 |     ignore_changes = [
		121 |       value
		122 |     ]
		123 |   }
		124 |   tags = local.tags
		125 | 
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:128-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "iaps_user_password" {
		129 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		130 |   type  = "SecureString"
		131 |   value = "INITIAL_VALUE_OVERRIDDEN"
		132 |   lifecycle {
		133 |     ignore_changes = [
		134 |       value
		135 |     ]
		136 |   }
		137 |   tags = local.tags
		138 | 
		139 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:141-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		141 | resource "aws_ssm_parameter" "dss_user" {
		142 |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		143 |   type  = "SecureString"
		144 |   value = "INITIAL_VALUE_OVERRIDDEN"
		145 |   lifecycle {
		146 |     ignore_changes = [
		147 |       value
		148 |     ]
		149 |   }
		150 |   tags = local.tags
		151 | 
		152 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:154-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		154 | resource "aws_ssm_parameter" "dss_user_password" {
		155 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		156 |   type  = "SecureString"
		157 |   value = "INITIAL_VALUE_OVERRIDDEN"
		158 |   lifecycle {
		159 |     ignore_changes = [
		160 |       value
		161 |     ]
		162 |   }
		163 |   tags = local.tags
		164 | 
		165 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:167-178
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		167 | resource "aws_ssm_parameter" "casenotes_user" {
		168 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		169 |   type  = "SecureString"
		170 |   value = "INITIAL_VALUE_OVERRIDDEN"
		171 |   lifecycle {
		172 |     ignore_changes = [
		173 |       value
		174 |     ]
		175 |   }
		176 |   tags = local.tags
		177 | 
		178 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:180-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		180 | resource "aws_ssm_parameter" "casenotes_user_password" {
		181 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		182 |   type  = "SecureString"
		183 |   value = "INITIAL_VALUE_OVERRIDDEN"
		184 |   lifecycle {
		185 |     ignore_changes = [
		186 |       value
		187 |     ]
		188 |   }
		189 |   tags = local.tags
		190 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:192-203
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		192 | resource "aws_ssm_parameter" "test_user_password" {
		193 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		194 |   type  = "SecureString"
		195 |   value = "INITIAL_VALUE_OVERRIDDEN"
		196 |   lifecycle {
		197 |     ignore_changes = [
		198 |       value
		199 |     ]
		200 |   }
		201 | 
		202 |   tags = local.tags
		203 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.performance_test_user_password
	File: /ssm.tf:205-216
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		205 | resource "aws_ssm_parameter" "performance_test_user_password" {
		206 |   name  = format("/%s-%s/performance_test_user_password", var.account_info.application_name, var.env_name)
		207 |   type  = "SecureString"
		208 |   value = "INITIAL_VALUE_OVERRIDDEN"
		209 |   lifecycle {
		210 |     ignore_changes = [
		211 |       value
		212 |     ]
		213 |   }
		214 | 
		215 |   tags = local.tags
		216 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:218-230
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		218 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		219 |   name  = format("/%s-%s/gdpr_api_client_secret", var.account_info.application_name, var.env_name)
		220 |   type  = "SecureString"
		221 |   value = "INITIAL_VALUE_OVERRIDDEN"
		222 | 
		223 |   lifecycle {
		224 |     ignore_changes = [
		225 |       value
		226 |     ]
		227 |   }
		228 | 
		229 |   tags = local.tags
		230 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:232-244
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		232 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		233 |   name  = format("/%s-%s/pwm_config_password", var.account_info.application_name, var.env_name)
		234 |   type  = "SecureString"
		235 |   value = "INITIAL_VALUE_OVERRIDDEN"
		236 | 
		237 |   lifecycle {
		238 |     ignore_changes = [
		239 |       value
		240 |     ]
		241 |   }
		242 | 
		243 |   tags = local.tags
		244 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:246-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		246 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		247 |   name  = format("/%s-%s/merge_api_client_secret", var.account_info.application_name, var.env_name)
		248 |   type  = "SecureString"
		249 |   value = "INITIAL_VALUE_OVERRIDDEN"
		250 | 
		251 |   lifecycle {
		252 |     ignore_changes = [
		253 |       value
		254 |     ]
		255 |   }
		256 | 
		257 |   tags = local.tags
		258 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:264-276
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		264 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		265 |   name  = format("/%s-%s/umt_client_secret", var.account_info.application_name, var.env_name)
		266 |   type  = "SecureString"
		267 |   value = "INITIAL_VALUE_OVERRIDDEN"
		268 | 
		269 |   lifecycle {
		270 |     ignore_changes = [
		271 |       value
		272 |     ]
		273 |   }
		274 | 
		275 |   tags = local.tags
		276 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_umt_jwt_secret
	File: /ssm.tf:278-290
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		278 | resource "aws_ssm_parameter" "delius_core_umt_jwt_secret" {
		279 |   name  = format("/%s-%s/umt_jwt_secret", var.account_info.application_name, var.env_name)
		280 |   type  = "SecureString"
		281 |   value = "INITIAL_VALUE_OVERRIDDEN"
		282 | 
		283 |   lifecycle {
		284 |     ignore_changes = [
		285 |       value
		286 |     ]
		287 |   }
		288 | 
		289 |   tags = local.tags
		290 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_umt_delius_secret
	File: /ssm.tf:292-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		292 | resource "aws_ssm_parameter" "delius_core_umt_delius_secret" {
		293 |   name  = format("/%s-%s/umt_delius_secret", var.account_info.application_name, var.env_name)
		294 |   type  = "SecureString"
		295 |   value = "INITIAL_VALUE_OVERRIDDEN"
		296 | 
		297 |   lifecycle {
		298 |     ignore_changes = [
		299 |       value
		300 |     ]
		301 |   }
		302 | 
		303 |   tags = local.tags
		304 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_db_admin_password
	File: /ssm.tf:306-316
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		306 | resource "aws_ssm_parameter" "delius_core_gdpr_db_admin_password" {
		307 |   name  = format("/%s-%s/gdpr/api/db_admin_password", var.account_info.application_name, var.env_name)
		308 |   type  = "SecureString"
		309 |   value = "INITIAL_VALUE_OVERRIDDEN"
		310 |   lifecycle {
		311 |     ignore_changes = [
		312 |       value
		313 |     ]
		314 |   }
		315 |   tags = local.tags
		316 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_db_pool_password
	File: /ssm.tf:318-328
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		318 | resource "aws_ssm_parameter" "delius_core_gdpr_db_pool_password" {
		319 |   name  = format("/%s-%s/gdpr/api/db_pool_password", var.account_info.application_name, var.env_name)
		320 |   type  = "SecureString"
		321 |   value = "INITIAL_VALUE_OVERRIDDEN"
		322 |   lifecycle {
		323 |     ignore_changes = [
		324 |       value
		325 |     ]
		326 |   }
		327 |   tags = local.tags
		328 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_db_admin_password
	File: /ssm.tf:330-340
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		330 | resource "aws_ssm_parameter" "delius_core_merge_db_admin_password" {
		331 |   name  = format("/%s-%s/merge/api/db_admin_password", var.account_info.application_name, var.env_name)
		332 |   type  = "SecureString"
		333 |   value = "INITIAL_VALUE_OVERRIDDEN"
		334 |   lifecycle {
		335 |     ignore_changes = [
		336 |       value
		337 |     ]
		338 |   }
		339 |   tags = local.tags
		340 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_db_pool_password
	File: /ssm.tf:342-352
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		342 | resource "aws_ssm_parameter" "delius_core_merge_db_pool_password" {
		343 |   name  = format("/%s-%s/merge/api/db_pool_password", var.account_info.application_name, var.env_name)
		344 |   type  = "SecureString"
		345 |   value = "INITIAL_VALUE_OVERRIDDEN"
		346 |   lifecycle {
		347 |     ignore_changes = [
		348 |       value
		349 |     ]
		350 |   }
		351 |   tags = local.tags
		352 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.usermanagement_secret
	File: /weblogic_eis.tf:131-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		131 | resource "aws_ssm_parameter" "usermanagement_secret" {
		132 |   name  = "/${var.env_name}/delius/umt/umt/delius_secret"
		133 |   type  = "SecureString"
		134 |   value = "DEFAULT"
		135 |   lifecycle {
		136 |     ignore_changes = [value]
		137 |   }
		138 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jdbc_url
	File: /weblogic_params.tf:6-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = "jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN"
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jdbc_password
	File: /weblogic_params.tf:23-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		23 | resource "aws_ssm_parameter" "jdbc_password" {
		24 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		25 |   type  = "SecureString"
		26 |   value = "INITIAL_VALUE_OVERRIDDEN"
		27 |   tags  = local.tags
		28 |   lifecycle {
		29 |     ignore_changes = [
		30 |       value
		31 |     ]
		32 |   }
		33 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.weblogic_admin_username
	File: /weblogic_params.tf:40-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		40 | resource "aws_ssm_parameter" "weblogic_admin_username" {
		41 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		42 |   type  = "SecureString"
		43 |   value = "INITIAL_VALUE_OVERRIDDEN"
		44 |   lifecycle {
		45 |     ignore_changes = [
		46 |       value
		47 |     ]
		48 |   }
		49 |   tags = local.tags
		50 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.weblogic_admin_password
	File: /weblogic_params.tf:56-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		56 | resource "aws_ssm_parameter" "weblogic_admin_password" {
		57 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.alfresco_sfs_ecs.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.alfresco_sfs_ecs.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.ldap_ecs.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.ldap_ecs.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.pwm.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.pwm.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.weblogic.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.weblogic.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.weblogic_eis.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.weblogic_eis.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alfresco_sfs_ecs.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.alfresco_sfs_ecs.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap_ecs.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap_ecs.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.pwm.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.pwm.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic_eis.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-26
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.container_health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 |   system_controls = var.system_controls
		26 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic_eis.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:37-74
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "ecs_service" {
		38 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0"
		39 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		40 |   cluster_arn           = var.ecs_cluster_arn
		41 |   name                  = "${var.env_name}-${var.name}"
		42 | 
		43 |   task_cpu    = var.container_cpu
		44 |   task_memory = var.container_memory
		45 | 
		46 |   pin_task_definition_revision = var.pin_task_definition_revision
		47 | 
		48 |   desired_count                      = var.desired_count
		49 |   deployment_maximum_percent         = var.deployment_maximum_percent
		50 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		51 | 
		52 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		53 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		54 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		55 | 
		56 |   health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds
		57 | 
		58 |   service_load_balancers = var.microservice_lb != null ? concat([{
		59 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		60 |     container_name   = var.name
		61 |     container_port   = var.container_port_config[0].containerPort
		62 |     }],
		63 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		64 | 
		65 |   efs_volumes = var.efs_volumes
		66 | 
		67 |   security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id]
		68 | 
		69 |   subnets = var.account_config.private_subnet_ids
		70 | 
		71 |   enable_execute_command = true
		72 | 
		73 |   tags = var.tags
		74 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.alfresco_sfs_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.alfresco_sfs_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.alfresco_sfs_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.alfresco_sfs_ecs.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.alfresco_sfs_ecs.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.ldap_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.ldap_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.ldap_ecs.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap_ecs.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap_ecs.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-99
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   drop_invalid_header_fields = true
		98 |   tags                       = var.tags
		99 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:111-115
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		111 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		112 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		113 |   ip_protocol       = "-1"
		114 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		115 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:117-124
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		117 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		118 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		119 |   ip_protocol                  = "TCP"
		120 |   from_port                    = each.value
		121 |   to_port                      = each.value
		122 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		123 |   referenced_security_group_id = aws_security_group.ecs_service.id
		124 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.alfresco_sfs_ecs.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.alfresco_sfs_ecs.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /alfresco.tf:21-194
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap_ecs.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap_ecs.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /ldap_ecs.tf:1-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /pwm.tf:1-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /weblogic.tf:1-94
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:52-60
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		52 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		53 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		54 |   security_group_id        = aws_security_group.ecs_service.id
		55 |   type                     = "ingress"
		56 |   from_port                = each.value
		57 |   to_port                  = each.value
		58 |   protocol                 = "tcp"
		59 |   source_security_group_id = var.cluster_security_group_id
		60 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:62-70
	Calling File: /weblogic_eis.tf:1-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		62 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		63 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		64 |   security_group_id        = aws_security_group.ecs_service.id
		65 |   type                     = "ingress"
		66 |   from_port                = each.value
		67 |   to_port                  = each.value
		68 |   protocol                 = "tcp"
		69 |   source_security_group_id = var.bastion_sg_id
		70 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.alfresco_sfs_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.alfresco_sfs_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.alfresco_sfs_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ldap_ecs.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.pwm.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.pwm.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.pwm.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_eis.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_eis.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.weblogic_eis.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:28-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = [
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ]
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.ldap.module.efs.aws_efs_access_point.this
	File: /../helpers/efs/main.tf:26-37
	Calling File: /../components/ldap/efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "this" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.account_info.application_name}-${var.env_name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.ldap.module.efs.aws_efs_access_point.this
	File: /../helpers/efs/main.tf:26-37
	Calling File: /../components/ldap/efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "this" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.account_info.application_name}-${var.env_name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.alfresco_efs.aws_efs_access_point.this
	File: /../helpers/efs/main.tf:26-37
	Calling File: /alfresco.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "this" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.account_info.application_name}-${var.env_name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.alfresco_efs.aws_efs_access_point.this
	File: /../helpers/efs/main.tf:26-37
	Calling File: /alfresco.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "this" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.account_info.application_name}-${var.env_name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.weblogic_ssm.aws_ssm_parameter.secure
	File: /../helpers/ssm_params/main.tf:11-19
	Calling File: /weblogic_params.tf:135-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		11 | resource "aws_ssm_parameter" "secure" {
		12 |   for_each = toset([for item in var.params_secure : item])
		13 |   name     = "/${var.environment_name}/${var.application_name}/${each.value}"
		14 |   type     = "SecureString"
		15 |   value    = "change_me"
		16 |   lifecycle {
		17 |     ignore_changes = [value]
		18 |   }
		19 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster
	File: /common_ecs.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		9  | resource "aws_security_group" "cluster" {
		10 |   name_prefix = "ecs-cluster-${var.env_name}"
		11 |   vpc_id      = var.account_config.shared_vpc_id
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.alfresco_sfs_ecs.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.ldap_ecs.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.pwm.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.weblogic.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.weblogic_eis.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.weblogic_eis_google_analytics_id
	File: /weblogic_eis.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		116 | resource "aws_ssm_parameter" "weblogic_eis_google_analytics_id" {
		117 |   name  = "/${var.env_name}/delius/monitoring/analytics/google_id"
		118 |   type  = "String"
		119 |   value = "DEFAULT"
		120 |   lifecycle {
		121 |     ignore_changes = [value]
		122 |   }
		123 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.weblogic_ssm.aws_ssm_parameter.plain
	File: /../helpers/ssm_params/main.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		1 | resource "aws_ssm_parameter" "plain" {
		2 |   for_each = toset([for item in var.params_plain : item])
		3 |   name     = "/${var.environment_name}/${var.application_name}/${each.value}"
		4 |   type     = "String"
		5 |   value    = "change_me"
		6 |   lifecycle {
		7 |     ignore_changes = [value]
		8 |   }
		9 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.alfresco_sfs_ecs.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.ldap_ecs.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.pwm.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.weblogic.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.weblogic_eis.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap.module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: module.alfresco_efs.aws_efs_file_system.this
	File: /../helpers/efs/main.tf:3-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		3  | resource "aws_efs_file_system" "this" {
		4  |   creation_token                  = var.creation_token
		5  |   encrypted                       = var.encrypted
		6  |   kms_key_id                      = var.kms_key_arn
		7  |   throughput_mode                 = var.throughput_mode
		8  |   provisioned_throughput_in_mibps = var.provisioned_throughput_in_mibps
		9  | 
		10 |   tags = merge(
		11 |     var.tags,
		12 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.name}" },
		13 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		14 |   )
		15 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-24 16:05:41,660 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-12-24 16:05:41,660 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-12-24 16:05:41,660 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=49e289239aec2845924f00fc5969f35ae76122e2:None (for external modules, the --download-external-modules flag is required)
2024-12-24 16:05:41,660 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 986, Failed checks: 30, Skipped checks: 80

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-32
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-32
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bcs" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bcs"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bps" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bps"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bws" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-bws"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "dis" {
		2 |   #checkov:skip=CKV2_AWS_5 "ignore"
		3 |   name_prefix = "${var.env_name}-dis"
		4 |   vpc_id      = var.account_info.vpc_id
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_mis_alarms
	File: /pagerduty.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1  | resource "aws_sns_topic" "delius_mis_alarms" {
		2  |   name = "${var.app_name}-${var.env_name}-sns-topic"
		3  | 
		4  |   tags = merge(
		5  |     var.tags,
		6  |     {
		7  |       Name = "${var.app_name}-${var.env_name}-sns-topic"
		8  |     }
		9  |   )
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "pagerduty_core_alerts" {
		13 | 
		14 |   depends_on = [
		15 |     aws_sns_topic.delius_mis_alarms
		16 |   ]
		17 | 
		18 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		19 |   sns_topics                = [aws_sns_topic.delius_mis_alarms.name]
		20 |   pagerduty_integration_key = var.pagerduty_integration_key
		21 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.icmp
	File: /sg_legacy.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_ingress_rule" "icmp" {
		10 |   security_group_id = aws_security_group.legacy.id
		11 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		12 |   ip_protocol       = "icmp"
		13 |   from_port         = -1
		14 |   to_port           = -1
		15 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.icmp
	File: /sg_legacy.tf:17-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		17 | resource "aws_vpc_security_group_egress_rule" "icmp" {
		18 |   security_group_id = aws_security_group.legacy.id
		19 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		20 |   ip_protocol       = "icmp"
		21 |   from_port         = -1
		22 |   to_port           = -1
		23 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s["443"]
	File: /sg_shared.tf:9-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		10 |   for_each = toset(["80", "443"])
		11 | 
		12 |   security_group_id = aws_security_group.mis_ec2_shared.id
		13 |   cidr_ipv4         = "0.0.0.0/0"
		14 |   ip_protocol       = "tcp"
		15 |   from_port         = each.key
		16 |   to_port           = each.key
		17 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.fleet_manager
	File: /sg_shared.tf:19-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		19 | resource "aws_vpc_security_group_egress_rule" "fleet_manager" {
		20 |   security_group_id = aws_security_group.mis_ec2_shared.id
		21 |   cidr_ipv4         = "0.0.0.0/0"
		22 |   ip_protocol       = "tcp"
		23 |   from_port         = 3389
		24 |   to_port           = 3389
		25 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		27 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		28 |   security_group_id = aws_security_group.mis_ec2_shared.id
		29 |   cidr_ipv4         = "0.0.0.0/0"
		30 |   ip_protocol       = "tcp"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		27 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		28 |   security_group_id = aws_security_group.mis_ec2_shared.id
		29 |   cidr_ipv4         = "0.0.0.0/0"
		30 |   ip_protocol       = "tcp"
		31 |   from_port         = 3389
		32 |   to_port           = 3389
		33 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.domain_join
	File: /sg_shared.tf:35-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		35 | resource "aws_vpc_security_group_egress_rule" "domain_join" {
		36 |   for_each                     = { for port in var.domain_join_ports : "${port.protocol}_${port.from_port}" => port }
		37 |   from_port                    = each.value.from_port
		38 |   to_port                      = each.value.to_port
		39 |   ip_protocol                  = each.value.protocol
		40 |   security_group_id            = aws_security_group.mis_ec2_shared.id
		41 |   referenced_security_group_id = aws_directory_service_directory.mis_ad.security_group_id
		42 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s["80"]
	File: /sg_shared.tf:9-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		10 |   for_each = toset(["80", "443"])
		11 | 
		12 |   security_group_id = aws_security_group.mis_ec2_shared.id
		13 |   cidr_ipv4         = "0.0.0.0/0"
		14 |   ip_protocol       = "tcp"
		15 |   from_port         = each.key
		16 |   to_port           = each.key
		17 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:4-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		4  | module "s3_bucket_ssm_sessions" {
		5  | 
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		9  |   versioning_enabled = false
		10 | 
		11 |   providers = {
		12 |     aws.bucket-replication = aws
		13 |   }
		14 | 
		15 |   tags = var.tags
		16 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-32
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-32
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-32
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.oracle_ec2_snapshot_backup_role_policy_document
	File: /../../../delius-core/modules/components/oracle_db_shared/backup_vault.tf:18-32
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		18 | data "aws_iam_policy_document" "oracle_ec2_snapshot_backup_role_policy_document" {
		19 |    statement {
		20 |        effect    = "Allow"
		21 |        actions   = ["iam:PassRole"]
		22 |        resources = ["arn:aws:iam::${var.account_info.id}:role/service-role/AWSBackupDefaultServiceRole"]
		23 |    }
		24 |    statement {
		25 |        effect    = "Allow"
		26 |        actions   = ["backup:ListBackupVaults",
		27 |                    "backup:StartBackupJob",
		28 |                    "backup:DescribeBackupJob",
		29 |                    "ec2:DescribeSnapshots"]
		30 |        resources = ["*"]
		31 |    }
		32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:189-227
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		189 | module "s3_bucket_oracledb_backups_inventory" {
		190 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		191 |   bucket_name         = "${local.oracle_backup_bucket_prefix}-inventory"
		192 |   versioning_enabled  = false
		193 |   ownership_controls  = "BucketOwnerEnforced"
		194 |   replication_enabled = false
		195 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		196 |   bucket_policy       = [data.aws_iam_policy_document.oracledb_backups_inventory.json]
		197 | 
		198 |   providers = {
		199 |     aws.bucket-replication = aws.bucket-replication
		200 |   }
		201 | 
		202 |   lifecycle_rule = [
		203 |     {
		204 |       id      = "main"
		205 |       enabled = "Enabled"
		206 |       prefix  = ""
		207 | 
		208 |       tags = {
		209 |         rule      = "log"
		210 |         autoclean = "true"
		211 |       }
		212 | 
		213 |       transition = [
		214 |         {
		215 |           days          = 90
		216 |           storage_class = "STANDARD_IA"
		217 |         }
		218 |       ]
		219 | 
		220 |       expiration = {
		221 |         days = 365
		222 |       }
		223 |     }
		224 |   ]
		225 | 
		226 |   tags = var.tags
		227 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_username
	File: /secrets.tf:3-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "ad_username" {
		4 |   #checkov:skip=CKV_AWS_149 "ignore"
		5 |   name                    = "${var.env_name}-legacy-ad-username"
		6 |   recovery_window_in_days = 0
		7 | 
		8 |   tags = var.tags
		9 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:12-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "ad_password" {
		13 |   #checkov:skip=CKV_AWS_149 "ignore"
		14 |   name                    = "${var.env_name}-legacy-ad-password"
		15 |   recovery_window_in_days = 0
		16 | 
		17 |   tags = var.tags
		18 | }


checkov_exitcode=3

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-core/modules/delius_environment
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10:
  10:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 74:
  74:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 87:
  87:       "${module.s3_bucket_oracledb_backups_inventory.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 126:
 126:         "${module.s3_bucket_oracle_statistics[0].bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 241:
 241:       values   = ["${var.account_info.id}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 253:
 253:       values   = ["${module.s3_bucket_oracledb_backups.bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 294:
 294:     resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/delius-core/modules/delius_environment
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/delius_environment/pwm.tf line 136:
 136: resource "random_id" "security_key" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=4

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
terraform/environments/delius-core/modules/delius_environment
terraform/environments/delius-mis/modules/mis_environment

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-12-24T16:05:00Z	INFO	[vulndb] Need to update DB
2024-12-24T16:05:00Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-24T16:05:00Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-24T16:05:02Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-24T16:05:02Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-24T16:05:02Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-24T16:05:02Z	INFO	[misconfig] Need to update the built-in checks
2024-12-24T16:05:02Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-24T16:05:03Z	INFO	[secret] Secret scanning is enabled
2024-12-24T16:05:03Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-24T16:05:03Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-24T16:05:04Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-24T16:05:04Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags"
2024-12-24T16:05:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:05Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-12-24T16:05:05Z	INFO	Number of language-specific files	num=0
2024-12-24T16:05:05Z	INFO	Detected config files	num=5
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/delius-core/modules/delius_environment
2024-12-24T16:05:05Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-24T16:05:05Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-24T16:05:05Z	INFO	[secret] Secret scanning is enabled
2024-12-24T16:05:05Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-24T16:05:05Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-24T16:05:07Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-24T16:05:07Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, app_name, bastion_config, db_config, delius_microservice_configs, dms_config, env_name, env_name_to_dms_config_map, environment_config, platform_vars, tags"
2024-12-24T16:05:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.alfresco_sfs_alb" value="cty.NilVal"
2024-12-24T16:05:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.ancillary_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-12-24T16:05:07Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.delius_core_frontend_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-12-24T16:05:08Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open cluster: no such file or directory"
2024-12-24T16:05:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.alfresco_efs.aws_efs_mount_target.this" value="cty.NilVal"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ldap.module.efs.aws_efs_mount_target.this" value="cty.NilVal"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.ldap.module.s3_bucket_ldap_data_refresh.data.aws_iam_policy_document.bucket_policy_v2" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.bucket_policy_v2.dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.ldap.module.s3_bucket_ldap_data_refresh.data.aws_iam_policy_document.bucket_policy_v2" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.bucket_policy_v2.dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-24T16:05:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_cloudwatch_metric_alarm.dms_cdc_latency_source" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_cloudwatch_metric_alarm.dms_cdc_latency_target" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_replication_task.audited_interaction_checksum_inbound_replication" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_replication_task.audited_interaction_inbound_replication" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_replication_task.business_interaction_inbound_replication" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_replication_task.user_outbound_replication" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_s3_endpoint.dms_audit_source_endpoint_s3" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dms[0].aws_dms_s3_endpoint.dms_user_target_endpoint_s3" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_primary[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_primary[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_primary[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_standby[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_standby[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:10Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_standby[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:20Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-24T16:05:20Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-24T16:05:20Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-24T16:05:20Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="alb_frontend.tf:43"
2024-12-24T16:05:20Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="alb_ancillary.tf:45"
2024-12-24T16:05:20Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../components/oracle_db_shared/sg.tf:16"
2024-12-24T16:05:20Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:20Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:20Z	INFO	Number of language-specific files	num=0
2024-12-24T16:05:20Z	INFO	Detected config files	num=18

 (terraform)
============
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-12-24T16:05:20Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-24T16:05:20Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-24T16:05:20Z	INFO	[secret] Secret scanning is enabled
2024-12-24T16:05:20Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-24T16:05:20Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-24T16:05:21Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-24T16:05:21Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, domain_join_ports, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_egress_rule.domain_join" value="cty.NilVal"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.dynamic.ip_address block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="aws_route53_resolver_rule.r53_fwd_to_ad" err="1 error occurred:\n\t* invalid for-each in aws_route53_resolver_rule.r53_fwd_to_ad.dynamic.target_ip block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:21Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bcs_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bps_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bws_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.dis_instance[0].aws_instance.this" err="3 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.private_dns_name_options block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_boe[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_dsd[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.oracle_db_mis[0].module.instance.aws_instance.this" err="2 errors occurred:\n\t* invalid for-each in aws_instance.this.dynamic.ephemeral_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_instance.this.dynamic.ebs_block_device block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_cloudwatch_event_rule.alarm_scheduler" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_cloudwatch_event_target.alarm_scheduler" value="cty.NilVal"
2024-12-24T16:05:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.schedule_alarms[0].aws_lambda_permission.allow_cloudwatch" value="cty.NilVal"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:16"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:27Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=20622418aa13871c279c12d9ae5e98f29c9a46f0/main.tf:22"
2024-12-24T16:05:27Z	INFO	Number of language-specific files	num=0
2024-12-24T16:05:27Z	INFO	Detected config files	num=16

sg_shared.tf (terraform)
========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0107 (HIGH): Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 sg_shared.tf:29
   via sg_shared.tf:27-33 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
  27   resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
  28     security_group_id = aws_security_group.mis_ec2_shared.id
  29 [   cidr_ipv4         = "0.0.0.0/0"
  30     ip_protocol       = "tcp"
  31     from_port         = 3389
  32     to_port           = 3389
  33   }
────────────────────────────────────────


trivy_exitcode=2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants