You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-07T13:37:38Z INFO [vulndb] Need to update DB
2025-01-07T13:37:38Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T13:37:38Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:37:40Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:37:40Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T13:37:40Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T13:37:40Z INFO [misconfig] Need to update the built-in checks
2025-01-07T13:37:40Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T13:37:40Z INFO [secret] Secret scanning is enabled
2025-01-07T13:37:40Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T13:37:40Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T13:37:41Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T13:37:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T13:37:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-01-07T13:37:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-01-07T13:37:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:37:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:37:42Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-01-07T13:37:42Z INFO Number of language-specific files num=0
2025-01-07T13:37:42Z INFO Detected config files num=4
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:157
via database.tf:156-158 (metadata_options)
via database.tf:145-174 (aws_instance.database)
────────────────────────────────────────
145 resource "aws_instance" "database" {
...
157 [ http_tokens = "optional"
...
174 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Checkov in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 13:37:45,309 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 110, Failed checks: 13, Skipped checks: 0
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.database
File: /database.tf:145-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
145 | resource "aws_instance" "database" {
146 | ami = local.application_data.accounts[local.environment].db_ami_id
147 | availability_zone = "eu-west-2a"
148 | instance_type = local.application_data.accounts[local.environment].db_instance_type
149 | monitoring = true
150 | vpc_security_group_ids = [aws_security_group.database.id]
151 | subnet_id = data.aws_subnet.data_subnets_a.id
152 | iam_instance_profile = aws_iam_instance_profile.cwa.id
153 | key_name = aws_key_pair.cwa.key_name
154 | user_data_base64 = base64encode(local.db_userdata)
155 | user_data_replace_on_change = true
156 | metadata_options {
157 | http_tokens = "optional"
158 | }
159 |
160 | root_block_device {
161 | tags = merge(
162 | { "instance-scheduling" = "skip-scheduling" },
163 | local.tags,
164 | { "Name" = "${local.application_name_short}-database-root" }
165 | )
166 | }
167 |
168 | tags = merge(
169 | { "instance-scheduling" = "skip-scheduling" },
170 | local.tags,
171 | { "Name" = local.database_ec2_name }
172 | )
173 | depends_on = [time_sleep.wait_db_userdata_scripts]
174 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.database
File: /database.tf:145-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
145 | resource "aws_instance" "database" {
146 | ami = local.application_data.accounts[local.environment].db_ami_id
147 | availability_zone = "eu-west-2a"
148 | instance_type = local.application_data.accounts[local.environment].db_instance_type
149 | monitoring = true
150 | vpc_security_group_ids = [aws_security_group.database.id]
151 | subnet_id = data.aws_subnet.data_subnets_a.id
152 | iam_instance_profile = aws_iam_instance_profile.cwa.id
153 | key_name = aws_key_pair.cwa.key_name
154 | user_data_base64 = base64encode(local.db_userdata)
155 | user_data_replace_on_change = true
156 | metadata_options {
157 | http_tokens = "optional"
158 | }
159 |
160 | root_block_device {
161 | tags = merge(
162 | { "instance-scheduling" = "skip-scheduling" },
163 | local.tags,
164 | { "Name" = "${local.application_name_short}-database-root" }
165 | )
166 | }
167 |
168 | tags = merge(
169 | { "instance-scheduling" = "skip-scheduling" },
170 | local.tags,
171 | { "Name" = local.database_ec2_name }
172 | )
173 | depends_on = [time_sleep.wait_db_userdata_scripts]
174 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /database.tf:197-201
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
197 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
198 | security_group_id = aws_security_group.database.id
199 | cidr_ipv4 = "0.0.0.0/0"
200 | ip_protocol = "-1"
201 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
File: /database.tf:203-210
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
203 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
204 | security_group_id = aws_security_group.database.id
205 | description = "SSH from the Bastion"
206 | referenced_security_group_id = module.bastion_linux.bastion_security_group
207 | from_port = 22
208 | ip_protocol = "tcp"
209 | to_port = 22
210 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.scripts
File: /s3.tf:21-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
22 | bucket = aws_s3_bucket.scripts.id
23 | rule {
24 | object_ownership = "ObjectWriter"
25 | }
26 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running tflint in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: terraform_unused_declarations
1issue(s) found:
Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)
on terraform/environments/laa-stabilisation-cdc-poc/database.tf line 136:136:resource"time_sleep""wait_db_userdata_scripts" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-07T13:37:38Z INFO [vulndb] Need to update DB
2025-01-07T13:37:38Z INFO [vulndb] Downloading vulnerability DB...2025-01-07T13:37:38Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-07T13:37:40Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-07T13:37:40Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T13:37:40Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T13:37:40Z INFO [misconfig] Need to update the built-in checks
2025-01-07T13:37:40Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-07T13:37:40Z INFO [secret] Secret scanning is enabled
2025-01-07T13:37:40Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T13:37:40Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-07T13:37:41Z INFO [terraformscanner] Scanning root module file_path="."2025-01-07T13:37:41Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-07T13:37:41Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2025-01-07T13:37:41Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2025-01-07T13:37:41Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-07T13:37:41Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-07T13:37:42Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2025-01-07T13:37:42Z INFO Number of language-specific files num=02025-01-07T13:37:42Z INFO Detected config files num=4
database.tf (terraform)
=======================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:157
via database.tf:156-158 (metadata_options)
via database.tf:145-174 (aws_instance.database)
────────────────────────────────────────
145 resource"aws_instance""database" {
...157 [ http_tokens = "optional"...174 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH):Rootblockdeviceisnotencrypted.
════════════════════════════════════════
Blockdevicesshouldbeencryptedtoensuresensitivedataisheldsecurelyatrest.Seehttps://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:145-174
────────────────────────────────────────
145 ┌ resource"aws_instance""database" {
146 │ ami = local.application_data.accounts[local.environment].db_ami_id
147 │ availability_zone ="eu-west-2a"148 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
149 │ monitoring =true150 │ vpc_security_group_ids = [aws_security_group.database.id]
151 │ subnet_id = data.aws_subnet.data_subnets_a.id
152 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
153 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────
s3.tf (terraform)
=================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-07T13:42:31Z INFO [vulndb] Need to update DB
2025-01-07T13:42:31Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T13:42:31Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:42:34Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T13:42:34Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T13:42:34Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T13:42:34Z INFO [misconfig] Need to update the built-in checks
2025-01-07T13:42:34Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T13:42:34Z INFO [secret] Secret scanning is enabled
2025-01-07T13:42:34Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T13:42:34Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T13:42:35Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T13:42:35Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T13:42:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-01-07T13:42:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-01-07T13:42:35Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:42:35Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T13:42:36Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-01-07T13:42:36Z INFO Number of language-specific files num=0
2025-01-07T13:42:36Z INFO Detected config files num=4
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:157
via database.tf:156-158 (metadata_options)
via database.tf:145-174 (aws_instance.database)
────────────────────────────────────────
145 resource "aws_instance" "database" {
...
157 [ http_tokens = "optional"
...
174 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Checkov in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 13:42:39,212 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 110, Failed checks: 13, Skipped checks: 0
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.database
File: /database.tf:145-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
145 | resource "aws_instance" "database" {
146 | ami = local.application_data.accounts[local.environment].db_ami_id
147 | availability_zone = "eu-west-2a"
148 | instance_type = local.application_data.accounts[local.environment].db_instance_type
149 | monitoring = true
150 | vpc_security_group_ids = [aws_security_group.database.id]
151 | subnet_id = data.aws_subnet.data_subnets_a.id
152 | iam_instance_profile = aws_iam_instance_profile.cwa.id
153 | key_name = aws_key_pair.cwa.key_name
154 | user_data_base64 = base64encode(local.db_userdata)
155 | user_data_replace_on_change = true
156 | metadata_options {
157 | http_tokens = "optional"
158 | }
159 |
160 | root_block_device {
161 | tags = merge(
162 | { "instance-scheduling" = "skip-scheduling" },
163 | local.tags,
164 | { "Name" = "${local.application_name_short}-database-root" }
165 | )
166 | }
167 |
168 | tags = merge(
169 | { "instance-scheduling" = "skip-scheduling" },
170 | local.tags,
171 | { "Name" = local.database_ec2_name }
172 | )
173 | depends_on = [time_sleep.wait_db_userdata_scripts]
174 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.database
File: /database.tf:145-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
145 | resource "aws_instance" "database" {
146 | ami = local.application_data.accounts[local.environment].db_ami_id
147 | availability_zone = "eu-west-2a"
148 | instance_type = local.application_data.accounts[local.environment].db_instance_type
149 | monitoring = true
150 | vpc_security_group_ids = [aws_security_group.database.id]
151 | subnet_id = data.aws_subnet.data_subnets_a.id
152 | iam_instance_profile = aws_iam_instance_profile.cwa.id
153 | key_name = aws_key_pair.cwa.key_name
154 | user_data_base64 = base64encode(local.db_userdata)
155 | user_data_replace_on_change = true
156 | metadata_options {
157 | http_tokens = "optional"
158 | }
159 |
160 | root_block_device {
161 | tags = merge(
162 | { "instance-scheduling" = "skip-scheduling" },
163 | local.tags,
164 | { "Name" = "${local.application_name_short}-database-root" }
165 | )
166 | }
167 |
168 | tags = merge(
169 | { "instance-scheduling" = "skip-scheduling" },
170 | local.tags,
171 | { "Name" = local.database_ec2_name }
172 | )
173 | depends_on = [time_sleep.wait_db_userdata_scripts]
174 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /database.tf:197-201
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
197 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
198 | security_group_id = aws_security_group.database.id
199 | cidr_ipv4 = "0.0.0.0/0"
200 | ip_protocol = "-1"
201 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
File: /database.tf:203-210
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
203 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
204 | security_group_id = aws_security_group.database.id
205 | description = "SSH from the Bastion"
206 | referenced_security_group_id = module.bastion_linux.bastion_security_group
207 | from_port = 22
208 | ip_protocol = "tcp"
209 | to_port = 22
210 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.scripts
File: /s3.tf:21-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
22 | bucket = aws_s3_bucket.scripts.id
23 | rule {
24 | object_ownership = "ObjectWriter"
25 | }
26 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running tflint in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: terraform_unused_declarations
1issue(s) found:
Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)
on terraform/environments/laa-stabilisation-cdc-poc/database.tf line 136:136:resource"time_sleep""wait_db_userdata_scripts" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-07T13:42:31Z INFO [vulndb] Need to update DB
2025-01-07T13:42:31Z INFO [vulndb] Downloading vulnerability DB...2025-01-07T13:42:31Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-07T13:42:34Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-07T13:42:34Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T13:42:34Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T13:42:34Z INFO [misconfig] Need to update the built-in checks
2025-01-07T13:42:34Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-07T13:42:34Z INFO [secret] Secret scanning is enabled
2025-01-07T13:42:34Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T13:42:34Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-07T13:42:35Z INFO [terraformscanner] Scanning root module file_path="."2025-01-07T13:42:35Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-07T13:42:35Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2025-01-07T13:42:35Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2025-01-07T13:42:35Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-07T13:42:35Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-07T13:42:36Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2025-01-07T13:42:36Z INFO Number of language-specific files num=02025-01-07T13:42:36Z INFO Detected config files num=4
database.tf (terraform)
=======================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:157
via database.tf:156-158 (metadata_options)
via database.tf:145-174 (aws_instance.database)
────────────────────────────────────────
145 resource"aws_instance""database" {
...157 [ http_tokens = "optional"...174 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH):Rootblockdeviceisnotencrypted.
════════════════════════════════════════
Blockdevicesshouldbeencryptedtoensuresensitivedataisheldsecurelyatrest.Seehttps://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:145-174
────────────────────────────────────────
145 ┌ resource"aws_instance""database" {
146 │ ami = local.application_data.accounts[local.environment].db_ami_id
147 │ availability_zone ="eu-west-2a"148 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
149 │ monitoring =true150 │ vpc_security_group_ids = [aws_security_group.database.id]
151 │ subnet_id = data.aws_subnet.data_subnets_a.id
152 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
153 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────
s3.tf (terraform)
=================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-07T16:12:22Z INFO [vulndb] Need to update DB
2025-01-07T16:12:22Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T16:12:22Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:12:24Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:12:24Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T16:12:24Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T16:12:24Z INFO [misconfig] Need to update the built-in checks
2025-01-07T16:12:24Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T16:12:25Z INFO [secret] Secret scanning is enabled
2025-01-07T16:12:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T16:12:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T16:12:26Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T16:12:26Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T16:12:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-01-07T16:12:26Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-01-07T16:12:26Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:12:26Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:12:27Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-01-07T16:12:27Z INFO Number of language-specific files num=0
2025-01-07T16:12:27Z INFO Detected config files num=4
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:157
via database.tf:156-158 (metadata_options)
via database.tf:145-174 (aws_instance.database)
────────────────────────────────────────
145 resource "aws_instance" "database" {
...
157 [ http_tokens = "optional"
...
174 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Checkov in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 16:12:29,994 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 110, Failed checks: 13, Skipped checks: 0
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.database
File: /database.tf:145-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
145 | resource "aws_instance" "database" {
146 | ami = local.application_data.accounts[local.environment].db_ami_id
147 | availability_zone = "eu-west-2a"
148 | instance_type = local.application_data.accounts[local.environment].db_instance_type
149 | monitoring = true
150 | vpc_security_group_ids = [aws_security_group.database.id]
151 | subnet_id = data.aws_subnet.data_subnets_a.id
152 | iam_instance_profile = aws_iam_instance_profile.cwa.id
153 | key_name = aws_key_pair.cwa.key_name
154 | user_data_base64 = base64encode(local.db_userdata)
155 | user_data_replace_on_change = true
156 | metadata_options {
157 | http_tokens = "optional"
158 | }
159 |
160 | root_block_device {
161 | tags = merge(
162 | { "instance-scheduling" = "skip-scheduling" },
163 | local.tags,
164 | { "Name" = "${local.application_name_short}-database-root" }
165 | )
166 | }
167 |
168 | tags = merge(
169 | { "instance-scheduling" = "skip-scheduling" },
170 | local.tags,
171 | { "Name" = local.database_ec2_name }
172 | )
173 | depends_on = [time_sleep.wait_db_userdata_scripts]
174 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.database
File: /database.tf:145-174
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
145 | resource "aws_instance" "database" {
146 | ami = local.application_data.accounts[local.environment].db_ami_id
147 | availability_zone = "eu-west-2a"
148 | instance_type = local.application_data.accounts[local.environment].db_instance_type
149 | monitoring = true
150 | vpc_security_group_ids = [aws_security_group.database.id]
151 | subnet_id = data.aws_subnet.data_subnets_a.id
152 | iam_instance_profile = aws_iam_instance_profile.cwa.id
153 | key_name = aws_key_pair.cwa.key_name
154 | user_data_base64 = base64encode(local.db_userdata)
155 | user_data_replace_on_change = true
156 | metadata_options {
157 | http_tokens = "optional"
158 | }
159 |
160 | root_block_device {
161 | tags = merge(
162 | { "instance-scheduling" = "skip-scheduling" },
163 | local.tags,
164 | { "Name" = "${local.application_name_short}-database-root" }
165 | )
166 | }
167 |
168 | tags = merge(
169 | { "instance-scheduling" = "skip-scheduling" },
170 | local.tags,
171 | { "Name" = local.database_ec2_name }
172 | )
173 | depends_on = [time_sleep.wait_db_userdata_scripts]
174 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /database.tf:197-201
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
197 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
198 | security_group_id = aws_security_group.database.id
199 | cidr_ipv4 = "0.0.0.0/0"
200 | ip_protocol = "-1"
201 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
File: /database.tf:203-210
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
203 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
204 | security_group_id = aws_security_group.database.id
205 | description = "SSH from the Bastion"
206 | referenced_security_group_id = module.bastion_linux.bastion_security_group
207 | from_port = 22
208 | ip_protocol = "tcp"
209 | to_port = 22
210 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.scripts
File: /s3.tf:21-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
22 | bucket = aws_s3_bucket.scripts.id
23 | rule {
24 | object_ownership = "ObjectWriter"
25 | }
26 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running tflint in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: terraform_unused_declarations
1issue(s) found:
Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)
on terraform/environments/laa-stabilisation-cdc-poc/database.tf line 136:136:resource"time_sleep""wait_db_userdata_scripts" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-07T16:12:22Z INFO [vulndb] Need to update DB
2025-01-07T16:12:22Z INFO [vulndb] Downloading vulnerability DB...2025-01-07T16:12:22Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-07T16:12:24Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-07T16:12:24Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T16:12:24Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T16:12:24Z INFO [misconfig] Need to update the built-in checks
2025-01-07T16:12:24Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-07T16:12:25Z INFO [secret] Secret scanning is enabled
2025-01-07T16:12:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T16:12:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-07T16:12:26Z INFO [terraformscanner] Scanning root module file_path="."2025-01-07T16:12:26Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-07T16:12:26Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2025-01-07T16:12:26Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2025-01-07T16:12:26Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-07T16:12:26Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-07T16:12:27Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2025-01-07T16:12:27Z INFO Number of language-specific files num=02025-01-07T16:12:27Z INFO Detected config files num=4
database.tf (terraform)
=======================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:157
via database.tf:156-158 (metadata_options)
via database.tf:145-174 (aws_instance.database)
────────────────────────────────────────
145 resource"aws_instance""database" {
...157 [ http_tokens = "optional"...174 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH):Rootblockdeviceisnotencrypted.
════════════════════════════════════════
Blockdevicesshouldbeencryptedtoensuresensitivedataisheldsecurelyatrest.Seehttps://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:145-174
────────────────────────────────────────
145 ┌ resource"aws_instance""database" {
146 │ ami = local.application_data.accounts[local.environment].db_ami_id
147 │ availability_zone ="eu-west-2a"148 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
149 │ monitoring =true150 │ vpc_security_group_ids = [aws_security_group.database.id]
151 │ subnet_id = data.aws_subnet.data_subnets_a.id
152 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
153 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────
s3.tf (terraform)
=================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-07T16:49:22Z INFO [vulndb] Need to update DB
2025-01-07T16:49:22Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T16:49:22Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:49:25Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T16:49:25Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T16:49:25Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T16:49:25Z INFO [misconfig] Need to update the built-in checks
2025-01-07T16:49:25Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T16:49:25Z INFO [secret] Secret scanning is enabled
2025-01-07T16:49:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T16:49:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T16:49:27Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T16:49:27Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T16:49:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-01-07T16:49:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-01-07T16:49:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:49:27Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T16:49:29Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-01-07T16:49:29Z INFO Number of language-specific files num=0
2025-01-07T16:49:29Z INFO Detected config files num=4
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:158
via database.tf:157-159 (metadata_options)
via database.tf:146-175 (aws_instance.database)
────────────────────────────────────────
146 resource "aws_instance" "database" {
...
158 [ http_tokens = "optional"
...
175 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Checkov in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 16:49:32,328 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 110, Failed checks: 13, Skipped checks: 0
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.database
File: /database.tf:146-175
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
146 | resource "aws_instance" "database" {
147 | ami = local.application_data.accounts[local.environment].db_ami_id
148 | availability_zone = "eu-west-2a"
149 | instance_type = local.application_data.accounts[local.environment].db_instance_type
150 | monitoring = true
151 | vpc_security_group_ids = [aws_security_group.database.id]
152 | subnet_id = data.aws_subnet.data_subnets_a.id
153 | iam_instance_profile = aws_iam_instance_profile.cwa.id
154 | key_name = aws_key_pair.cwa.key_name
155 | user_data_base64 = base64encode(local.db_userdata)
156 | user_data_replace_on_change = true
157 | metadata_options {
158 | http_tokens = "optional"
159 | }
160 |
161 | root_block_device {
162 | tags = merge(
163 | { "instance-scheduling" = "skip-scheduling" },
164 | local.tags,
165 | { "Name" = "${local.application_name_short}-database-root" }
166 | )
167 | }
168 |
169 | tags = merge(
170 | { "instance-scheduling" = "skip-scheduling" },
171 | local.tags,
172 | { "Name" = local.database_ec2_name }
173 | )
174 | depends_on = [time_sleep.wait_db_userdata_scripts]
175 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.database
File: /database.tf:146-175
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
146 | resource "aws_instance" "database" {
147 | ami = local.application_data.accounts[local.environment].db_ami_id
148 | availability_zone = "eu-west-2a"
149 | instance_type = local.application_data.accounts[local.environment].db_instance_type
150 | monitoring = true
151 | vpc_security_group_ids = [aws_security_group.database.id]
152 | subnet_id = data.aws_subnet.data_subnets_a.id
153 | iam_instance_profile = aws_iam_instance_profile.cwa.id
154 | key_name = aws_key_pair.cwa.key_name
155 | user_data_base64 = base64encode(local.db_userdata)
156 | user_data_replace_on_change = true
157 | metadata_options {
158 | http_tokens = "optional"
159 | }
160 |
161 | root_block_device {
162 | tags = merge(
163 | { "instance-scheduling" = "skip-scheduling" },
164 | local.tags,
165 | { "Name" = "${local.application_name_short}-database-root" }
166 | )
167 | }
168 |
169 | tags = merge(
170 | { "instance-scheduling" = "skip-scheduling" },
171 | local.tags,
172 | { "Name" = local.database_ec2_name }
173 | )
174 | depends_on = [time_sleep.wait_db_userdata_scripts]
175 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /database.tf:198-202
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
198 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
199 | security_group_id = aws_security_group.database.id
200 | cidr_ipv4 = "0.0.0.0/0"
201 | ip_protocol = "-1"
202 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
File: /database.tf:204-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
204 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
205 | security_group_id = aws_security_group.database.id
206 | description = "SSH from the Bastion"
207 | referenced_security_group_id = module.bastion_linux.bastion_security_group
208 | from_port = 22
209 | ip_protocol = "tcp"
210 | to_port = 22
211 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.scripts
File: /s3.tf:21-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
22 | bucket = aws_s3_bucket.scripts.id
23 | rule {
24 | object_ownership = "ObjectWriter"
25 | }
26 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running tflint in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: terraform_unused_declarations
1issue(s) found:
Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)
on terraform/environments/laa-stabilisation-cdc-poc/database.tf line 137:137:resource"time_sleep""wait_db_userdata_scripts" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-07T16:49:22Z INFO [vulndb] Need to update DB
2025-01-07T16:49:22Z INFO [vulndb] Downloading vulnerability DB...2025-01-07T16:49:22Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-07T16:49:25Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-07T16:49:25Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T16:49:25Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T16:49:25Z INFO [misconfig] Need to update the built-in checks
2025-01-07T16:49:25Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-07T16:49:25Z INFO [secret] Secret scanning is enabled
2025-01-07T16:49:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T16:49:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-07T16:49:27Z INFO [terraformscanner] Scanning root module file_path="."2025-01-07T16:49:27Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-07T16:49:27Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2025-01-07T16:49:27Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2025-01-07T16:49:27Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-07T16:49:27Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-07T16:49:29Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2025-01-07T16:49:29Z INFO Number of language-specific files num=02025-01-07T16:49:29Z INFO Detected config files num=4
database.tf (terraform)
=======================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:158
via database.tf:157-159 (metadata_options)
via database.tf:146-175 (aws_instance.database)
────────────────────────────────────────
146 resource"aws_instance""database" {
...158 [ http_tokens = "optional"...175 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH):Rootblockdeviceisnotencrypted.
════════════════════════════════════════
Blockdevicesshouldbeencryptedtoensuresensitivedataisheldsecurelyatrest.Seehttps://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:146-175
────────────────────────────────────────
146 ┌ resource"aws_instance""database" {
147 │ ami = local.application_data.accounts[local.environment].db_ami_id
148 │ availability_zone ="eu-west-2a"149 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
150 │ monitoring =true151 │ vpc_security_group_ids = [aws_security_group.database.id]
152 │ subnet_id = data.aws_subnet.data_subnets_a.id
153 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
154 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────
s3.tf (terraform)
=================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-08T10:20:56Z INFO [vulndb] Need to update DB
2025-01-08T10:20:56Z INFO [vulndb] Downloading vulnerability DB...
2025-01-08T10:20:56Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-08T10:20:59Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-08T10:20:59Z INFO [vuln] Vulnerability scanning is enabled
2025-01-08T10:20:59Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-08T10:20:59Z INFO [misconfig] Need to update the built-in checks
2025-01-08T10:20:59Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-08T10:20:59Z INFO [secret] Secret scanning is enabled
2025-01-08T10:20:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-08T10:20:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-08T10:21:00Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-08T10:21:00Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-08T10:21:02Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-01-08T10:21:02Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-01-08T10:21:02Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T10:21:02Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-08T10:21:03Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-01-08T10:21:04Z INFO Number of language-specific files num=0
2025-01-08T10:21:04Z INFO Detected config files num=4
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:158
via database.tf:157-159 (metadata_options)
via database.tf:146-175 (aws_instance.database)
────────────────────────────────────────
146 resource "aws_instance" "database" {
...
158 [ http_tokens = "optional"
...
175 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Checkov in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-08 10:21:06,827 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 110, Failed checks: 13, Skipped checks: 0
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bastion_linux
File: /bastion.tf:5-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
5 | module "bastion_linux" {
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
7 |
8 | providers = {
9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant
11 | }
12 | # s3 - used for logs and user ssh public keys
13 | bucket_name = "bastion-${local.application_name_short}"
14 | # public keys
15 | public_key_data = local.public_key_data.keys[local.environment]
16 | # logs
17 | log_auto_clean = "Enabled"
18 | log_standard_ia_days = 30 # days before moving to IA storage
19 | log_glacier_days = 60 # days before moving to Glacier
20 | log_expiry_days = 180 # days before log expiration
21 | # bastion
22 | allow_ssh_commands = false
23 | app_name = var.networking[0].application
24 | business_unit = local.vpc_name
25 | subnet_set = local.subnet_set
26 | environment = local.environment
27 | region = "eu-west-2"
28 |
29 | # Tags
30 | tags_common = local.tags
31 | tags_prefix = terraform.workspace
32 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
FAILED for resource: aws_instance.database
File: /database.tf:146-175
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31
146 | resource "aws_instance" "database" {
147 | ami = local.application_data.accounts[local.environment].db_ami_id
148 | availability_zone = "eu-west-2a"
149 | instance_type = local.application_data.accounts[local.environment].db_instance_type
150 | monitoring = true
151 | vpc_security_group_ids = [aws_security_group.database.id]
152 | subnet_id = data.aws_subnet.data_subnets_a.id
153 | iam_instance_profile = aws_iam_instance_profile.cwa.id
154 | key_name = aws_key_pair.cwa.key_name
155 | user_data_base64 = base64encode(local.db_userdata)
156 | user_data_replace_on_change = false
157 | metadata_options {
158 | http_tokens = "optional"
159 | }
160 |
161 | root_block_device {
162 | tags = merge(
163 | { "instance-scheduling" = "skip-scheduling" },
164 | local.tags,
165 | { "Name" = "${local.application_name_short}-database-root" }
166 | )
167 | }
168 |
169 | tags = merge(
170 | { "instance-scheduling" = "skip-scheduling" },
171 | local.tags,
172 | { "Name" = local.database_ec2_name }
173 | )
174 | depends_on = [time_sleep.wait_db_userdata_scripts]
175 | }
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
FAILED for resource: aws_instance.database
File: /database.tf:146-175
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized
146 | resource "aws_instance" "database" {
147 | ami = local.application_data.accounts[local.environment].db_ami_id
148 | availability_zone = "eu-west-2a"
149 | instance_type = local.application_data.accounts[local.environment].db_instance_type
150 | monitoring = true
151 | vpc_security_group_ids = [aws_security_group.database.id]
152 | subnet_id = data.aws_subnet.data_subnets_a.id
153 | iam_instance_profile = aws_iam_instance_profile.cwa.id
154 | key_name = aws_key_pair.cwa.key_name
155 | user_data_base64 = base64encode(local.db_userdata)
156 | user_data_replace_on_change = false
157 | metadata_options {
158 | http_tokens = "optional"
159 | }
160 |
161 | root_block_device {
162 | tags = merge(
163 | { "instance-scheduling" = "skip-scheduling" },
164 | local.tags,
165 | { "Name" = "${local.application_name_short}-database-root" }
166 | )
167 | }
168 |
169 | tags = merge(
170 | { "instance-scheduling" = "skip-scheduling" },
171 | local.tags,
172 | { "Name" = local.database_ec2_name }
173 | )
174 | depends_on = [time_sleep.wait_db_userdata_scripts]
175 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
File: /database.tf:198-202
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
198 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
199 | security_group_id = aws_security_group.database.id
200 | cidr_ipv4 = "0.0.0.0/0"
201 | ip_protocol = "-1"
202 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
File: /database.tf:204-211
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
204 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
205 | security_group_id = aws_security_group.database.id
206 | description = "SSH from the Bastion"
207 | referenced_security_group_id = module.bastion_linux.bastion_security_group
208 | from_port = 22
209 | ip_protocol = "tcp"
210 | to_port = 22
211 | }
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: aws_iam_policy.cwa
File: /ec2_iam_profile.tf:44-108
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
FAILED for resource: aws_s3_bucket_ownership_controls.scripts
File: /s3.tf:21-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112
21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
22 | bucket = aws_s3_bucket.scripts.id
23 | rule {
24 | object_ownership = "ObjectWriter"
25 | }
26 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.scripts
File: /s3.tf:5-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | resource "aws_s3_bucket" "scripts" {
6 | bucket = "${local.application_name_short}-${local.environment}-scripts"
7 | tags = merge(
8 | local.tags,
9 | { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 | )
11 | }
checkov_exitcode=1
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running tflint in terraform/environments/laa-stabilisation-cdc-poc
Excluding the following checks: terraform_unused_declarations
1issue(s) found:
Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)
on terraform/environments/laa-stabilisation-cdc-poc/database.tf line 137:137:resource"time_sleep""wait_db_userdata_scripts" {
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.mdtflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/laa-stabilisation-cdc-poc
*****************************
Running Trivy in terraform/environments/laa-stabilisation-cdc-poc
2025-01-08T10:20:56Z INFO [vulndb] Need to update DB
2025-01-08T10:20:56Z INFO [vulndb] Downloading vulnerability DB...2025-01-08T10:20:56Z INFO [vulndb] Downloading artifact...repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-08T10:20:59Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"2025-01-08T10:20:59Z INFO [vuln] Vulnerability scanning is enabled
2025-01-08T10:20:59Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-08T10:20:59Z INFO [misconfig] Need to update the built-in checks
2025-01-08T10:20:59Z INFO [misconfig] Downloading the built-in checks...160.80 KiB /160.80 KiB [------------------------------------------------------] 100.00%? p/s 100ms2025-01-08T10:20:59Z INFO [secret] Secret scanning is enabled
2025-01-08T10:20:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-08T10:20:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection2025-01-08T10:21:00Z INFO [terraformscanner] Scanning root module file_path="."2025-01-08T10:21:00Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="networking"2025-01-08T10:21:02Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2025-01-08T10:21:02Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2025-01-08T10:21:02Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-08T10:21:02Z ERROR [terraformevaluator] Failed to expand dynamic block.block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily"err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"2025-01-08T10:21:03Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2025-01-08T10:21:04Z INFO Number of language-specific files num=02025-01-08T10:21:04Z INFO Detected config files num=4
database.tf (terraform)
=======================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:158
via database.tf:157-159 (metadata_options)
via database.tf:146-175 (aws_instance.database)
────────────────────────────────────────
146 resource"aws_instance""database" {
...158 [ http_tokens = "optional"...175 }
────────────────────────────────────────
AVD-AWS-0131 (HIGH):Rootblockdeviceisnotencrypted.
════════════════════════════════════════
Blockdevicesshouldbeencryptedtoensuresensitivedataisheldsecurelyatrest.Seehttps://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:146-175
────────────────────────────────────────
146 ┌ resource"aws_instance""database" {
147 │ ami = local.application_data.accounts[local.environment].db_ami_id
148 │ availability_zone ="eu-west-2a"149 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
150 │ monitoring =true151 │ vpc_security_group_ids = [aws_security_group.database.id]
152 │ subnet_id = data.aws_subnet.data_subnets_a.id
153 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
154 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────
s3.tf (terraform)
=================
Tests:2 (SUCCESSES:0, FAILURES:2)
Failures:2 (HIGH:2, CRITICAL:0)
AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them ifaccessiscompromised.
See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection foryourS3buckets.Toincreasecontroloftheencryptionandmanagefactorslikerotationusecustomermanagedkeys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket""scripts" {
6 │ bucket ="${local.application_name_short}-${local.environment}-scripts"7 │ tags =merge(
8 │ local.tags,
9 │ { Name ="${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────
trivy_exitcode=1
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-actions
bot
added
the
environments-repository
vc13837
temporarily deployed
to
laa-stabilisation-cdc-poc-development
No description provided.