Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

📌 APC Patching #9235

Merged
merged 15 commits into from
Jan 8, 2025
Merged

📌 APC Patching #9235

merged 15 commits into from
Jan 8, 2025

Conversation

jacobwoffenden
Copy link
Member

@jacobwoffenden jacobwoffenden commented Jan 7, 2025
edited
Loading

This pull request:

  • Resolves 📥 Maintenance - Analytical Platform Compute analytical-platform#6496
  • Removes TGW debugging instance and security group
  • Updates Terraform modules to latest versions
  • Updates Bottlerocket to 1.29.0
  • Updates EKS addons (see files changed for versions)
  • Updates Self-hosted Actions Runners to 2.321.0
  • Updates Kyverno to 3.3.4
  • Updates Kubernetes Prometheus Stack to 67.8.0
  • Updates Cluster Autoscaler to 9.45.0
  • Updates Karpenter to 1.1.1
  • Updates Karpenter manifests to v1 structure of CRD
  • Updates Cert Manager to 1.16.2
  • Updates Ingress NGINX to 4.12.0
  • Updates External Secrets to 0.12.1
  • Updates KEDA to 2.16.1

Note:

I would get the following when trying to in-place upgrade our internal Karpenter configuration

Error: UPGRADE FAILED: unable to build kubernetes objects from current release manifest: [resource mapping not found for name: "bottlerocket-general" namespace: "" from "": no matches for kind "EC2NodeClass" in version "karpenter.k8s.aws/v1beta1"

To work around this I ran

helm delete --namespace karpenter karpenter-configuration

kubectl --namespace karpenter delete secrets $(kubectl --namespace karpenter get secrets | grep karpenter-configuration | awk '{print $1}')

I am not 100% sure why this was happening

Signed-off-by: Jacob Woffenden jacob.woffenden@justice.gov.uk

@jacobwoffenden
Patching
439e42a 
Signed-off-by: GitHub <noreply@github.com>
@jacobwoffenden jacobwoffenden self-assigned this Jan 7, 2025
@jacobwoffenden jacobwoffenden requested review from a team as code owners January 7, 2025 11:29
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 7, 2025
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-development January 7, 2025 11:31 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T11:31:21Z INFO [vulndb] Need to update DB
2025-01-07T11:31:21Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T11:31:21Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T11:31:24Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T11:31:24Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T11:31:24Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T11:31:24Z INFO [misconfig] Need to update the built-in checks
2025-01-07T11:31:24Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T11:31:24Z INFO [secret] Secret scanning is enabled
2025-01-07T11:31:24Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T11:31:24Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T11:31:27Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T11:31:27Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T11:31:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T11:31:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T11:31:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:34Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T11:31:34Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T11:31:34Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T11:31:34Z INFO Number of language-specific files num=0
2025-01-07T11:31:34Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 11:31:36,640 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,640 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,640 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,641 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,641 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,644 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,644 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,644 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,644 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,644 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,645 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 11:31:36,645 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T11:31:21Z	INFO	[vulndb] Need to update DB
2025-01-07T11:31:21Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T11:31:21Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T11:31:24Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T11:31:24Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T11:31:24Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T11:31:24Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T11:31:24Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T11:31:24Z	INFO	[secret] Secret scanning is enabled
2025-01-07T11:31:24Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T11:31:24Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T11:31:27Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T11:31:27Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T11:31:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T11:31:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T11:31:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T11:31:34Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T11:31:34Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T11:31:34Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T11:31:34Z	INFO	Number of language-specific files	num=0
2025-01-07T11:31:34Z	INFO	Detected config files	num=14
trivy_exitcode=0

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-test January 7, 2025 11:31 — with GitHub Actions Failure
@jacobwoffenden
promote karpenter to v1
e587acc 
Signed-off-by: GitHub <noreply@github.com>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T12:53:30Z INFO [vulndb] Need to update DB
2025-01-07T12:53:30Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T12:53:30Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:53:33Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:53:33Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T12:53:33Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T12:53:33Z INFO [misconfig] Need to update the built-in checks
2025-01-07T12:53:33Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T12:53:33Z INFO [secret] Secret scanning is enabled
2025-01-07T12:53:33Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:53:33Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:53:35Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T12:53:35Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T12:53:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:53:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:53:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:44Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T12:53:44Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T12:53:44Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T12:53:44Z INFO Number of language-specific files num=0
2025-01-07T12:53:44Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 12:53:46,811 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,811 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,811 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,811 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,811 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,811 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,812 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,812 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,812 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,812 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,812 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,812 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,813 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,813 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,813 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,813 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,813 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:53:46,813 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T12:53:30Z	INFO	[vulndb] Need to update DB
2025-01-07T12:53:30Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T12:53:30Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:53:33Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:53:33Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T12:53:33Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T12:53:33Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T12:53:33Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T12:53:33Z	INFO	[secret] Secret scanning is enabled
2025-01-07T12:53:33Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:53:33Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:53:35Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T12:53:35Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T12:53:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:53:43Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:53:43Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:43Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:53:44Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T12:53:44Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T12:53:44Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T12:53:44Z	INFO	Number of language-specific files	num=0
2025-01-07T12:53:44Z	INFO	Detected config files	num=14
trivy_exitcode=0

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-test January 7, 2025 12:53 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-development January 7, 2025 12:53 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T12:56:48Z INFO [vulndb] Need to update DB
2025-01-07T12:56:48Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T12:56:48Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:56:51Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:56:51Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T12:56:51Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T12:56:51Z INFO [misconfig] Need to update the built-in checks
2025-01-07T12:56:51Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T12:56:51Z INFO [secret] Secret scanning is enabled
2025-01-07T12:56:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:56:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:56:53Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T12:56:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T12:56:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T12:57:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:05Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T12:57:05Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T12:57:05Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T12:57:05Z INFO Number of language-specific files num=0
2025-01-07T12:57:05Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 12:57:08,898 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,898 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,899 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,899 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,899 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,899 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,899 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,899 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,899 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,899 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,900 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,900 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:57:08,901 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T12:56:48Z	INFO	[vulndb] Need to update DB
2025-01-07T12:56:48Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T12:56:48Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:56:51Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:56:51Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T12:56:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T12:56:51Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T12:56:51Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T12:56:51Z	INFO	[secret] Secret scanning is enabled
2025-01-07T12:56:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:56:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:56:53Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T12:56:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T12:56:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T12:57:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:04Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:57:05Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T12:57:05Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T12:57:05Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T12:57:05Z	INFO	Number of language-specific files	num=0
2025-01-07T12:57:05Z	INFO	Detected config files	num=14
trivy_exitcode=0

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-development January 7, 2025 12:57 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-test January 7, 2025 12:57 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T13:25:32Z INFO [vulndb] Need to update DB
2025-01-07T13:25:32Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T13:25:32Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:25:34Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:25:34Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T13:25:34Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T13:25:34Z INFO [misconfig] Need to update the built-in checks
2025-01-07T13:25:34Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T13:25:34Z INFO [secret] Secret scanning is enabled
2025-01-07T13:25:34Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T13:25:34Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T13:25:37Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T13:25:37Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T13:25:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T13:25:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:43Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T13:25:43Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T13:25:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T13:25:43Z INFO Number of language-specific files num=0
2025-01-07T13:25:43Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 13:25:46,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,212 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,213 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,213 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,213 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:25:46,213 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T13:25:32Z	INFO	[vulndb] Need to update DB
2025-01-07T13:25:32Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T13:25:32Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:25:34Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:25:34Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T13:25:34Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T13:25:34Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T13:25:34Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T13:25:34Z	INFO	[secret] Secret scanning is enabled
2025-01-07T13:25:34Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T13:25:34Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T13:25:37Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T13:25:37Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T13:25:37Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T13:25:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:42Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:25:43Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T13:25:43Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T13:25:43Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T13:25:43Z	INFO	Number of language-specific files	num=0
2025-01-07T13:25:43Z	INFO	Detected config files	num=14
trivy_exitcode=0

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-development January 7, 2025 13:25 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-test January 7, 2025 13:26 — with GitHub Actions Failure
@jacobwoffenden
bump chart
5542f8a 
Signed-off-by: GitHub <noreply@github.com>
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-development January 7, 2025 13:49 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T13:49:39Z INFO [vulndb] Need to update DB
2025-01-07T13:49:39Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T13:49:39Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:49:41Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:49:41Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T13:49:41Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T13:49:41Z INFO [misconfig] Need to update the built-in checks
2025-01-07T13:49:41Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T13:49:42Z INFO [secret] Secret scanning is enabled
2025-01-07T13:49:42Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T13:49:42Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T13:49:43Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T13:49:43Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T13:49:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:49:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:49:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:55Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T13:49:55Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T13:49:55Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T13:49:56Z INFO Number of language-specific files num=0
2025-01-07T13:49:56Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 13:49:59,489 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,489 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,491 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 13:49:59,495 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T13:49:39Z	INFO	[vulndb] Need to update DB
2025-01-07T13:49:39Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T13:49:39Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:49:41Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:49:41Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T13:49:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T13:49:41Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T13:49:41Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T13:49:42Z	INFO	[secret] Secret scanning is enabled
2025-01-07T13:49:42Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T13:49:42Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T13:49:43Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T13:49:43Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T13:49:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:49:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T13:49:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:49:55Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T13:49:55Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T13:49:55Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T13:49:56Z	INFO	Number of language-specific files	num=0
2025-01-07T13:49:56Z	INFO	Detected config files	num=14
trivy_exitcode=0

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-test January 7, 2025 13:55 — with GitHub Actions Failure
@jacobwoffenden
Update to node pools
ac5958b 
Signed-off-by: GitHub <noreply@github.com>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T14:03:53Z INFO [vulndb] Need to update DB
2025-01-07T14:03:53Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T14:03:53Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T14:03:55Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T14:03:55Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T14:03:55Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T14:03:55Z INFO [misconfig] Need to update the built-in checks
2025-01-07T14:03:55Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T14:03:55Z INFO [secret] Secret scanning is enabled
2025-01-07T14:03:55Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T14:03:55Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T14:03:57Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T14:03:57Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T14:03:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:04Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T14:04:04Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T14:04:04Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T14:04:05Z INFO Number of language-specific files num=0
2025-01-07T14:04:05Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 14:04:08,292 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,292 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,292 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,292 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,292 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,293 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,293 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,293 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,293 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,293 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,293 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,293 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 14:04:08,294 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T14:03:53Z	INFO	[vulndb] Need to update DB
2025-01-07T14:03:53Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T14:03:53Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T14:03:55Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T14:03:55Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T14:03:55Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T14:03:55Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T14:03:55Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T14:03:55Z	INFO	[secret] Secret scanning is enabled
2025-01-07T14:03:55Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T14:03:55Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T14:03:57Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T14:03:57Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T14:03:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T14:04:04Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T14:04:04Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T14:04:04Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T14:04:05Z	INFO	Number of language-specific files	num=0
2025-01-07T14:04:05Z	INFO	Detected config files	num=14
trivy_exitcode=0

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-test January 7, 2025 14:04 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-development January 7, 2025 14:04 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-compute-development January 7, 2025 14:45 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T16:04:46Z INFO [vulndb] Need to update DB
2025-01-07T16:04:46Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T16:04:46Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:04:48Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:04:48Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T16:04:48Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T16:04:48Z INFO [misconfig] Need to update the built-in checks
2025-01-07T16:04:48Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T16:04:48Z INFO [secret] Secret scanning is enabled
2025-01-07T16:04:48Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T16:04:48Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T16:04:51Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T16:04:51Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T16:04:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T16:04:55Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:57Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T16:04:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T16:04:57Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T16:04:57Z INFO Number of language-specific files num=0
2025-01-07T16:04:57Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 16:04:59,785 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,785 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,785 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,785 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,785 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,785 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,786 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,786 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,786 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,786 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,786 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,786 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,786 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,786 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,787 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,787 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,787 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:04:59,796 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T16:04:46Z	INFO	[vulndb] Need to update DB
2025-01-07T16:04:46Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T16:04:46Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:04:48Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:04:48Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T16:04:48Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T16:04:48Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T16:04:48Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T16:04:48Z	INFO	[secret] Secret scanning is enabled
2025-01-07T16:04:48Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T16:04:48Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T16:04:51Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T16:04:51Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T16:04:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T16:04:55Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:56Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:04:57Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T16:04:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T16:04:57Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T16:04:57Z	INFO	Number of language-specific files	num=0
2025-01-07T16:04:57Z	INFO	Detected config files	num=14
trivy_exitcode=0

@jacobwoffenden jacobwoffenden had a problem deploying to analytical-platform-compute-test January 7, 2025 16:05 — with GitHub Actions Failure
@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-compute-test January 7, 2025 16:21 — with GitHub Actions Inactive
@jacobwoffenden jacobwoffenden temporarily deployed to analytical-platform-compute-test January 7, 2025 16:30 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T16:30:03Z INFO [vulndb] Need to update DB
2025-01-07T16:30:03Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T16:30:03Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:30:05Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:30:05Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T16:30:05Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T16:30:05Z INFO [misconfig] Need to update the built-in checks
2025-01-07T16:30:05Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T16:30:06Z INFO [secret] Secret scanning is enabled
2025-01-07T16:30:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T16:30:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T16:30:08Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T16:30:08Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T16:30:08Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T16:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:19Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T16:30:19Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T16:30:19Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T16:30:20Z INFO Number of language-specific files num=0
2025-01-07T16:30:20Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 16:30:23,379 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,379 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,379 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,379 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,379 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,380 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,380 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,380 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,380 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,380 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,380 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,381 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,381 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,381 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,381 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,381 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,381 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 16:30:23,382 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T16:30:03Z	INFO	[vulndb] Need to update DB
2025-01-07T16:30:03Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T16:30:03Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:30:05Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:30:05Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T16:30:05Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T16:30:05Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T16:30:05Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T16:30:06Z	INFO	[secret] Secret scanning is enabled
2025-01-07T16:30:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T16:30:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T16:30:08Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T16:30:08Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T16:30:08Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T16:30:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:18Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:30:19Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T16:30:19Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T16:30:19Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T16:30:20Z	INFO	Number of language-specific files	num=0
2025-01-07T16:30:20Z	INFO	Detected config files	num=14
trivy_exitcode=0

@jacobwoffenden
Adding smoke test
770fafd 
Signed-off-by: GitHub <noreply@github.com>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T17:22:22Z INFO [vulndb] Need to update DB
2025-01-07T17:22:22Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T17:22:22Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T17:22:25Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T17:22:25Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T17:22:25Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T17:22:25Z INFO [misconfig] Need to update the built-in checks
2025-01-07T17:22:25Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T17:22:25Z INFO [secret] Secret scanning is enabled
2025-01-07T17:22:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T17:22:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T17:22:28Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T17:22:28Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T17:22:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T17:22:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:37Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T17:22:37Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T17:22:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T17:22:37Z INFO Number of language-specific files num=0
2025-01-07T17:22:37Z INFO Detected config files num=15

contrib/airflow-kubernetes-smoke-test/pod.yaml (kubernetes)

Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0014 (HIGH): Container 'main' of Pod 'airflow-kubernetes-smoke-test' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
contrib/airflow-kubernetes-smoke-test/pod.yaml:27-36
────────────────────────────────────────
27 ┌ - name: main
28 │ image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
29 │ command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
30 │ resources:
31 │ requests:
32 │ memory: 64Mi
33 │ cpu: 100m
34 │ limits:
35 │ memory: 128Mi
36 └ cpu: 200m
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 17:22:40,093 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,093 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,093 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,094 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,094 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,094 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,094 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,094 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,094 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,095 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,095 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,095 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,095 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,095 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,095 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,095 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,096 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:22:40,096 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153

kubernetes scan results:

Passed checks: 76, Failed checks: 13, Skipped checks: 0

Check: CKV_K8S_43: "Image should use digest"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_9: "Readiness Probe Should be Configured"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_15: "Image Pull Policy should be Always"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_8: "Liveness Probe Should be Configured"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_30: "Apply security context to your containers"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m

Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
	FAILED for resource: Pod.airflow.airflow-kubernetes-smoke-test
	File: /contrib/airflow-kubernetes-smoke-test/pod.yaml:2-36

		2  | apiVersion: v1
		3  | kind: Pod
		4  | metadata:
		5  |   name: airflow-kubernetes-smoke-test
		6  |   namespace: airflow
		7  | spec:
		8  |   securityContext:
		9  |     runAsNonRoot: true
		10 |     runAsUser: 1000
		11 |   affinity:
		12 |     nodeAffinity:
		13 |       requiredDuringSchedulingIgnoredDuringExecution:
		14 |         nodeSelectorTerms:
		15 |           - matchExpressions:
		16 |               - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		17 |                 operator: In
		18 |                 values:
		19 |                   - general-spot
		20 |   tolerations:
		21 |     - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool
		22 |       operator: Equal
		23 |       value: general-spot
		24 |       effect: NoSchedule
		25 |   restartPolicy: Never
		26 |   containers:
		27 |     - name: main
		28 |       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
		29 |       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
		30 |       resources:
		31 |         requests:
		32 |           memory: 64Mi
		33 |           cpu: 100m
		34 |         limits:
		35 |           memory: 128Mi
		36 |           cpu: 200m


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T17:22:22Z	INFO	[vulndb] Need to update DB
2025-01-07T17:22:22Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T17:22:22Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T17:22:25Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T17:22:25Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T17:22:25Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T17:22:25Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T17:22:25Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T17:22:25Z	INFO	[secret] Secret scanning is enabled
2025-01-07T17:22:25Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T17:22:25Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T17:22:28Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T17:22:28Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T17:22:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T17:22:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:36Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:22:37Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T17:22:37Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T17:22:37Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T17:22:37Z	INFO	Number of language-specific files	num=0
2025-01-07T17:22:37Z	INFO	Detected config files	num=15

contrib/airflow-kubernetes-smoke-test/pod.yaml (kubernetes)
===========================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0014 (HIGH): Container 'main' of Pod 'airflow-kubernetes-smoke-test' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
 contrib/airflow-kubernetes-smoke-test/pod.yaml:27-36
────────────────────────────────────────
  27- name: main
  28 │       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
  29 │       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
  30 │       resources:
  31 │         requests:
  32 │           memory: 64Mi
  33 │           cpu: 100m
  34 │         limits:
  35 │           memory: 128Mi
  36 └           cpu: 200m
────────────────────────────────────────


trivy_exitcode=1

@jacobwoffenden
checkov skips
dd2aedb 
Signed-off-by: GitHub <noreply@github.com>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T17:42:31Z INFO [vulndb] Need to update DB
2025-01-07T17:42:31Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T17:42:31Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T17:42:34Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T17:42:34Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T17:42:34Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T17:42:34Z INFO [misconfig] Need to update the built-in checks
2025-01-07T17:42:34Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T17:42:34Z INFO [secret] Secret scanning is enabled
2025-01-07T17:42:34Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T17:42:34Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T17:42:35Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T17:42:35Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T17:42:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T17:42:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:48Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T17:42:48Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T17:42:48Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T17:42:50Z INFO Number of language-specific files num=0
2025-01-07T17:42:50Z INFO Detected config files num=15

contrib/airflow-kubernetes-smoke-test/pod.yaml (kubernetes)

Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0014 (HIGH): Container 'main' of Pod 'airflow-kubernetes-smoke-test' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
contrib/airflow-kubernetes-smoke-test/pod.yaml:42-51
────────────────────────────────────────
42 ┌ - name: main
43 │ image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
44 │ command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
45 │ resources:
46 │ requests:
47 │ memory: 64Mi
48 │ cpu: 100m
49 │ limits:
50 │ memory: 128Mi
51 └ cpu: 200m
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 17:42:53,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,490 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,491 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,491 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 17:42:53,492 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153

kubernetes scan results:

Passed checks: 76, Failed checks: 0, Skipped checks: 13


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T17:42:31Z	INFO	[vulndb] Need to update DB
2025-01-07T17:42:31Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T17:42:31Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T17:42:34Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T17:42:34Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T17:42:34Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T17:42:34Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T17:42:34Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T17:42:34Z	INFO	[secret] Secret scanning is enabled
2025-01-07T17:42:34Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T17:42:34Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T17:42:35Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T17:42:35Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T17:42:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T17:42:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T17:42:48Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T17:42:48Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T17:42:48Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T17:42:50Z	INFO	Number of language-specific files	num=0
2025-01-07T17:42:50Z	INFO	Detected config files	num=15

contrib/airflow-kubernetes-smoke-test/pod.yaml (kubernetes)
===========================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0014 (HIGH): Container 'main' of Pod 'airflow-kubernetes-smoke-test' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
 contrib/airflow-kubernetes-smoke-test/pod.yaml:42-51
────────────────────────────────────────
  42- name: main
  43 │       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
  44 │       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
  45 │       resources:
  46 │         requests:
  47 │           memory: 64Mi
  48 │           cpu: 100m
  49 │         limits:
  50 │           memory: 128Mi
  51 └           cpu: 200m
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T18:04:39Z INFO [vulndb] Need to update DB
2025-01-07T18:04:39Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T18:04:39Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T18:04:41Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T18:04:41Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T18:04:41Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T18:04:41Z INFO [misconfig] Need to update the built-in checks
2025-01-07T18:04:41Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T18:04:42Z INFO [secret] Secret scanning is enabled
2025-01-07T18:04:42Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T18:04:42Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T18:04:43Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T18:04:43Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T18:04:43Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:04:51Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:04:51Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T18:04:51Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T18:04:51Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T18:04:53Z INFO Number of language-specific files num=0
2025-01-07T18:04:53Z INFO Detected config files num=15

contrib/airflow-kubernetes-smoke-test/pod.yaml (kubernetes)

Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0014 (HIGH): Container 'main' of Pod 'airflow-kubernetes-smoke-test' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
contrib/airflow-kubernetes-smoke-test/pod.yaml:43-52
────────────────────────────────────────
43 ┌ - name: main
44 │ image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
45 │ command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
46 │ resources:
47 │ requests:
48 │ memory: 64Mi
49 │ cpu: 100m
50 │ limits:
51 │ memory: 128Mi
52 └ cpu: 200m
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 18:04:56,209 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,209 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,209 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,210 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,210 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,210 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,210 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,210 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,210 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,211 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,211 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:04:56,212 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153

kubernetes scan results:

Passed checks: 76, Failed checks: 0, Skipped checks: 13


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T18:04:39Z	INFO	[vulndb] Need to update DB
2025-01-07T18:04:39Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T18:04:39Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T18:04:41Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T18:04:41Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T18:04:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T18:04:41Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T18:04:41Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-07T18:04:42Z	INFO	[secret] Secret scanning is enabled
2025-01-07T18:04:42Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T18:04:42Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T18:04:43Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T18:04:43Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T18:04:43Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:04:51Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:04:51Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:04:51Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T18:04:51Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T18:04:51Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T18:04:53Z	INFO	Number of language-specific files	num=0
2025-01-07T18:04:53Z	INFO	Detected config files	num=15

contrib/airflow-kubernetes-smoke-test/pod.yaml (kubernetes)
===========================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-KSV-0014 (HIGH): Container 'main' of Pod 'airflow-kubernetes-smoke-test' should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
 contrib/airflow-kubernetes-smoke-test/pod.yaml:43-52
────────────────────────────────────────
  43- name: main
  44 │       image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0
  45 │       command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"]
  46 │       resources:
  47 │         requests:
  48 │           memory: 64Mi
  49 │           cpu: 100m
  50 │         limits:
  51 │           memory: 128Mi
  52 └           cpu: 200m
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T18:09:39Z INFO [vulndb] Need to update DB
2025-01-07T18:09:39Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T18:09:39Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T18:09:41Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T18:09:41Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T18:09:41Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T18:09:41Z INFO [misconfig] Need to update the built-in checks
2025-01-07T18:09:41Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T18:09:41Z INFO [secret] Secret scanning is enabled
2025-01-07T18:09:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T18:09:41Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T18:09:44Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T18:09:44Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T18:09:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T18:09:49Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:51Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T18:09:51Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T18:09:51Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T18:09:51Z INFO Number of language-specific files num=0
2025-01-07T18:09:51Z INFO Detected config files num=15
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 18:09:53,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,844 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,845 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,845 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,845 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,845 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,845 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,845 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,848 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,848 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,849 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,849 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,849 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 18:09:53,849 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153

kubernetes scan results:

Passed checks: 76, Failed checks: 0, Skipped checks: 13


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-07T18:09:39Z	INFO	[vulndb] Need to update DB
2025-01-07T18:09:39Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T18:09:39Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T18:09:41Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T18:09:41Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T18:09:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T18:09:41Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T18:09:41Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T18:09:41Z	INFO	[secret] Secret scanning is enabled
2025-01-07T18:09:41Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T18:09:41Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T18:09:44Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T18:09:44Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T18:09:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-07T18:09:49Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T18:09:51Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-07T18:09:51Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-07T18:09:51Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-07T18:09:51Z	INFO	Number of language-specific files	num=0
2025-01-07T18:09:51Z	INFO	Detected config files	num=15
trivy_exitcode=0

@jacobwoffenden
delete pod
07b8ddf 
Signed-off-by: GitHub <noreply@github.com>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 8, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-08T09:25:34Z INFO [vulndb] Need to update DB
2025-01-08T09:25:34Z INFO [vulndb] Downloading vulnerability DB...
2025-01-08T09:25:34Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-08T09:25:36Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-08T09:25:36Z INFO [vuln] Vulnerability scanning is enabled
2025-01-08T09:25:36Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-08T09:25:36Z INFO [misconfig] Need to update the built-in checks
2025-01-08T09:25:36Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-08T09:25:37Z INFO [secret] Secret scanning is enabled
2025-01-08T09:25:37Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-08T09:25:37Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-08T09:25:38Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-08T09:25:38Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-08T09:25:38Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-08T09:25:44Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["airflow-high-memory"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.eks.module.eks_managed_node_group["general"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.eks.module.eks_managed_node_group["general"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:46Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-08T09:25:46Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-08T09:25:46Z INFO [terraform executor] Ignore finding rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-08T09:25:48Z INFO Number of language-specific files num=0
2025-01-08T09:25:48Z INFO Detected config files num=14
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-08 09:25:50,761 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,764 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,764 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,764 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.52.1 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,764 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.7.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,764 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,765 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.9.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,765 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.3.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,765 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.10.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,765 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,765 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,765 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,765 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,766 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,766 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws//modules/karpenter:20.31.6 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,766 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:4.1.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,766 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.17.0 (for external modules, the --download-external-modules flag is required)
2025-01-08 09:25:50,766 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 154, Failed checks: 0, Skipped checks: 153


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2025-01-08T09:25:34Z	INFO	[vulndb] Need to update DB
2025-01-08T09:25:34Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-08T09:25:34Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-08T09:25:36Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-08T09:25:36Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-08T09:25:36Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-08T09:25:36Z	INFO	[misconfig] Need to update the built-in checks
2025-01-08T09:25:36Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-08T09:25:37Z	INFO	[secret] Secret scanning is enabled
2025-01-08T09:25:37Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-08T09:25:37Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-08T09:25:38Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-08T09:25:38Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-08T09:25:38Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.transit_gateway_routes" value="cty.NilVal"
2025-01-08T09:25:44Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.aws_ec2_tag.cluster_primary_security_group" value="cty.NilVal"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks_cluster_logs_kms.data.aws_iam_policy_document.this[0]" err="1 error occurred:\n\t* invalid for-each in data.aws_iam_policy_document.this[0].dynamic.statement.content.dynamic.condition block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"airflow-high-memory\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_iam_role_policy_attachment.this" value="cty.NilVal"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:45Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.eks.module.eks_managed_node_group[\"general\"].aws_launch_template.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_launch_template.this[0].dynamic.block_device_mappings block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T09:25:46Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:69"
2025-01-08T09:25:46Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/node_groups.tf:247"
2025-01-08T09:25:46Z	INFO	[terraform executor] Ignore finding	rule="aws-eks-no-public-cluster-access-to-cidr" range="git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=a713f6f464eb579a39918f60f130a5fbb77a6b30/main.tf:70"
2025-01-08T09:25:48Z	INFO	Number of language-specific files	num=0
2025-01-08T09:25:48Z	INFO	Detected config files	num=14
trivy_exitcode=0

Gary-H9
Gary-H9 approved these changes Jan 8, 2025
View reviewed changes
Copy link
Contributor

@Gary-H9 Gary-H9 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jacobwoffenden jacobwoffenden merged commit 9d6d04a into main Jan 8, 2025
14 checks passed
@jacobwoffenden jacobwoffenden deleted the chore/apc-patching branch January 8, 2025 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gary-H9 Gary-H9 Gary-H9 approved these changes

Assignees

@jacobwoffenden jacobwoffenden

Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

📥 Maintenance - Analytical Platform Compute
2 participants
@jacobwoffenden @Gary-H9