Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TM-865 Adding in build for TST and PRE #9375

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

TM-865 Adding in build for TST and PRE #9375

wants to merge 7 commits into from

Conversation

vc13837
Copy link
Contributor

@vc13837 vc13837 commented Jan 16, 2025

No description provided.

@vc13837 vc13837 requested review from a team as code owners January 16, 2025 15:59
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 16, 2025
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:

Trivy Scan Success

Show Output
*****************************

Trivy will check the following folders:

@Khatraf Khatraf requested a review from a team January 16, 2025 16:17
Khatraf
Khatraf previously approved these changes Jan 16, 2025
@vc13837 vc13837 temporarily deployed to laa-mail-relay-test January 16, 2025 16:20 — with GitHub Actions Inactive
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

1 similar comment
@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

@vc13837 vc13837 temporarily deployed to laa-mail-relay-test January 16, 2025 17:11 — with GitHub Actions Inactive
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-mail-relay


Running Trivy in terraform/environments/laa-mail-relay
2025-01-16T17:12:50Z INFO [vulndb] Need to update DB
2025-01-16T17:12:50Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:12:50Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:12:52Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:12:52Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:12:52Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:12:52Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:12:52Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:12:53Z INFO [secret] Secret scanning is enabled
2025-01-16T17:12:53Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:12:53Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:12:54Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:12:54Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:12:54Z INFO Number of language-specific files num=0
2025-01-16T17:12:54Z INFO Detected config files num=3

smtp.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
smtp.tf:57
via smtp.tf:56-58 (metadata_options)
via smtp.tf:46-69 (aws_instance.smtp)
────────────────────────────────────────
46 resource "aws_instance" "smtp" {
..
57 [ http_tokens = "optional"
..
69 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
smtp.tf:46-69
────────────────────────────────────────
46 ┌ resource "aws_instance" "smtp" {
47 │ ami = local.application_data.accounts[local.environment].smtp_ami_id
48 │ availability_zone = "eu-west-2a"
49 │ instance_type = local.application_data.accounts[local.environment].smtp_instance_type
50 │ monitoring = true
51 │ vpc_security_group_ids = [aws_security_group.smtp.id]
52 │ subnet_id = data.aws_subnet.data_subnets_a.id
53 │ iam_instance_profile = aws_iam_instance_profile.smtp.id
54 └ user_data_base64 = base64encode(local.smtp_userdata)
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running Checkov in terraform/environments/laa-mail-relay
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 52, Failed checks: 18, Skipped checks: 0

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.smtp
	File: /ec2_iam_profile.tf:43-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		43 | resource "aws_iam_policy" "smtp" {
		44 |   name = "${local.application_name}-iam-policy"
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "${local.application_name}-iam-policy"
		49 |     }
		50 |   )
		51 |   policy = <<EOF
		52 | {
		53 |     "Version" : "2012-10-17",
		54 |     "Statement": [
		55 |         {
		56 |             "Action": [
		57 |                 "logs:CreateLogGroup",
		58 |                 "logs:CreateLogStream",
		59 |                 "logs:DescribeLogStreams",
		60 |                 "logs:PutRetentionPolicy",
		61 |                 "logs:PutLogEvents",
		62 |                 "ec2:DescribeInstances"
		63 |             ],
		64 |             "Resource": "*",
		65 |             "Effect": "Allow"
		66 |         },
		67 |         {
		68 |             "Action": [
		69 |                 "secretsmanager:GetSecretValue"
		70 |             ],
		71 |             "Resource": [
		72 |                 "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
		73 |             ],
		74 |             "Effect": "Allow"
		75 |         }
		76 |     ]
		77 | }
		78 | EOF
		79 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.smtp
	File: /ec2_iam_profile.tf:43-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		43 | resource "aws_iam_policy" "smtp" {
		44 |   name = "${local.application_name}-iam-policy"
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "${local.application_name}-iam-policy"
		49 |     }
		50 |   )
		51 |   policy = <<EOF
		52 | {
		53 |     "Version" : "2012-10-17",
		54 |     "Statement": [
		55 |         {
		56 |             "Action": [
		57 |                 "logs:CreateLogGroup",
		58 |                 "logs:CreateLogStream",
		59 |                 "logs:DescribeLogStreams",
		60 |                 "logs:PutRetentionPolicy",
		61 |                 "logs:PutLogEvents",
		62 |                 "ec2:DescribeInstances"
		63 |             ],
		64 |             "Resource": "*",
		65 |             "Effect": "Allow"
		66 |         },
		67 |         {
		68 |             "Action": [
		69 |                 "secretsmanager:GetSecretValue"
		70 |             ],
		71 |             "Resource": [
		72 |                 "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
		73 |             ],
		74 |             "Effect": "Allow"
		75 |         }
		76 |     ]
		77 | }
		78 | EOF
		79 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.smtp_user
	File: /ses.tf:66-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "smtp_user" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["ses:SendRawEmail"]
		70 |     resources = ["*"]
		71 |   }
		72 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.smtp_user
	File: /ses.tf:66-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "smtp_user" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["ses:SendRawEmail"]
		70 |     resources = ["*"]
		71 |   }
		72 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.smtp
	File: /ses.tf:57-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		57 | resource "aws_iam_user" "smtp" {
		58 |   name = "${local.application_name}-${local.application_data.accounts[local.environment].env_short}-user"
		59 |   tags = local.tags
		60 | }

Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
	FAILED for resource: aws_iam_user_policy.smtp_user
	File: /ses.tf:74-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1

		74 | resource "aws_iam_user_policy" "smtp_user" {
		75 |   name   = "AmazonSesSendingAccess"
		76 |   user   = aws_iam_user.smtp.name
		77 |   policy = data.aws_iam_policy_document.smtp_user.json
		78 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_user
	File: /ses.tf:82-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		82 | resource "aws_secretsmanager_secret" "smtp_user" {
		83 |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_USER"
		84 |   description = "IAM user access key for SMTP"
		85 |   tags = merge(
		86 |     local.tags,
		87 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_USER" }
		88 |   )
		89 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_password
	File: /ses.tf:96-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		96  | resource "aws_secretsmanager_secret" "smtp_password" {
		97  |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD"
		98  |   description = "IAM user access secret for SMTP"
		99  |   tags = merge(
		100 |     local.tags,
		101 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD" }
		102 |   )
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsap
	File: /ses.tf:119-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		119 | resource "aws_secretsmanager_secret" "smtp_sesrsap" {
		120 |   name        = "postfix/app/SESRSAP"
		121 |   description = ""
		122 |   tags = merge(
		123 |     local.tags,
		124 |     { "Name" = "postfix/app/SESRSAP" }
		125 |   )
		126 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsa
	File: /ses.tf:128-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		128 | resource "aws_secretsmanager_secret" "smtp_sesrsa" {
		129 |   name        = "postfix/app/SESRSA"
		130 |   description = ""
		131 |   tags = merge(
		132 |     local.tags,
		133 |     { "Name" = "postfix/app/SESRSA" }
		134 |   )
		135 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.smtp_outbound
	File: /smtp.tf:87-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		87 | resource "aws_vpc_security_group_egress_rule" "smtp_outbound" {
		88 |   security_group_id = aws_security_group.smtp.id
		89 |   cidr_ipv4         = "0.0.0.0/0"
		90 |   ip_protocol       = "-1"
		91 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_user
	File: /ses.tf:82-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		82 | resource "aws_secretsmanager_secret" "smtp_user" {
		83 |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_USER"
		84 |   description = "IAM user access key for SMTP"
		85 |   tags = merge(
		86 |     local.tags,
		87 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_USER" }
		88 |   )
		89 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_password
	File: /ses.tf:96-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		96  | resource "aws_secretsmanager_secret" "smtp_password" {
		97  |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD"
		98  |   description = "IAM user access secret for SMTP"
		99  |   tags = merge(
		100 |     local.tags,
		101 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD" }
		102 |   )
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsap
	File: /ses.tf:119-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		119 | resource "aws_secretsmanager_secret" "smtp_sesrsap" {
		120 |   name        = "postfix/app/SESRSAP"
		121 |   description = ""
		122 |   tags = merge(
		123 |     local.tags,
		124 |     { "Name" = "postfix/app/SESRSAP" }
		125 |   )
		126 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsa
	File: /ses.tf:128-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		128 | resource "aws_secretsmanager_secret" "smtp_sesrsa" {
		129 |   name        = "postfix/app/SESRSA"
		130 |   description = ""
		131 |   tags = merge(
		132 |     local.tags,
		133 |     { "Name" = "postfix/app/SESRSA" }
		134 |   )
		135 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running tflint in terraform/environments/laa-mail-relay
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running Trivy in terraform/environments/laa-mail-relay
2025-01-16T17:12:50Z	INFO	[vulndb] Need to update DB
2025-01-16T17:12:50Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-16T17:12:50Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:12:52Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:12:52Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-16T17:12:52Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-16T17:12:52Z	INFO	[misconfig] Need to update the built-in checks
2025-01-16T17:12:52Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:12:53Z	INFO	[secret] Secret scanning is enabled
2025-01-16T17:12:53Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:12:53Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:12:54Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-16T17:12:54Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-16T17:12:54Z	INFO	Number of language-specific files	num=0
2025-01-16T17:12:54Z	INFO	Detected config files	num=3

smtp.tf (terraform)
===================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 smtp.tf:57
   via smtp.tf:56-58 (metadata_options)
    via smtp.tf:46-69 (aws_instance.smtp)
────────────────────────────────────────
  46   resource "aws_instance" "smtp" {
  ..   
  57 [     http_tokens = "optional"
  ..   
  69   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 smtp.tf:46-69
────────────────────────────────────────
  46resource "aws_instance" "smtp" {
  47 │   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
  48 │   availability_zone           = "eu-west-2a"
  49 │   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
  50 │   monitoring                  = true
  51 │   vpc_security_group_ids      = [aws_security_group.smtp.id]
  52 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
  53 │   iam_instance_profile        = aws_iam_instance_profile.smtp.id
  54 └   user_data_base64            = base64encode(local.smtp_userdata)
  ..   
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 deployed to laa-mail-relay-development January 16, 2025 17:25 — with GitHub Actions Active
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@vc13837 vc13837 temporarily deployed to laa-mail-relay-test January 16, 2025 17:38 — with GitHub Actions Inactive
@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

1 similar comment
@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-mail-relay


Running Trivy in terraform/environments/laa-mail-relay
2025-01-16T17:58:07Z INFO [vulndb] Need to update DB
2025-01-16T17:58:07Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:58:07Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:58:09Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:58:09Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:58:09Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:58:09Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:58:09Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:58:10Z INFO [secret] Secret scanning is enabled
2025-01-16T17:58:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:58:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:58:11Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:58:11Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:58:11Z INFO Number of language-specific files num=0
2025-01-16T17:58:11Z INFO Detected config files num=3

smtp.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
smtp.tf:57
via smtp.tf:56-58 (metadata_options)
via smtp.tf:46-69 (aws_instance.smtp)
────────────────────────────────────────
46 resource "aws_instance" "smtp" {
..
57 [ http_tokens = "optional"
..
69 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
smtp.tf:46-69
────────────────────────────────────────
46 ┌ resource "aws_instance" "smtp" {
47 │ ami = local.application_data.accounts[local.environment].smtp_ami_id
48 │ availability_zone = "eu-west-2a"
49 │ instance_type = local.application_data.accounts[local.environment].smtp_instance_type
50 │ monitoring = true
51 │ vpc_security_group_ids = [aws_security_group.smtp.id]
52 │ subnet_id = data.aws_subnet.data_subnets_a.id
53 │ iam_instance_profile = aws_iam_instance_profile.smtp.id
54 └ user_data_base64 = base64encode(local.smtp_userdata)
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running Checkov in terraform/environments/laa-mail-relay
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 51, Failed checks: 20, Skipped checks: 0

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.smtp
	File: /ec2_iam_profile.tf:43-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		43 | resource "aws_iam_policy" "smtp" {
		44 |   name = "${local.application_name}-iam-policy"
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "${local.application_name}-iam-policy"
		49 |     }
		50 |   )
		51 |   policy = <<EOF
		52 | {
		53 |     "Version" : "2012-10-17",
		54 |     "Statement": [
		55 |         {
		56 |             "Action": [
		57 |                 "logs:CreateLogGroup",
		58 |                 "logs:CreateLogStream",
		59 |                 "logs:DescribeLogStreams",
		60 |                 "logs:PutRetentionPolicy",
		61 |                 "logs:PutLogEvents",
		62 |                 "ec2:DescribeInstances"
		63 |             ],
		64 |             "Resource": "*",
		65 |             "Effect": "Allow"
		66 |         },
		67 |         {
		68 |             "Action": [
		69 |                 "secretsmanager:GetSecretValue"
		70 |             ],
		71 |             "Resource": [
		72 |                 "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
		73 |             ],
		74 |             "Effect": "Allow"
		75 |         }
		76 |     ]
		77 | }
		78 | EOF
		79 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.smtp
	File: /ec2_iam_profile.tf:43-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		43 | resource "aws_iam_policy" "smtp" {
		44 |   name = "${local.application_name}-iam-policy"
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "${local.application_name}-iam-policy"
		49 |     }
		50 |   )
		51 |   policy = <<EOF
		52 | {
		53 |     "Version" : "2012-10-17",
		54 |     "Statement": [
		55 |         {
		56 |             "Action": [
		57 |                 "logs:CreateLogGroup",
		58 |                 "logs:CreateLogStream",
		59 |                 "logs:DescribeLogStreams",
		60 |                 "logs:PutRetentionPolicy",
		61 |                 "logs:PutLogEvents",
		62 |                 "ec2:DescribeInstances"
		63 |             ],
		64 |             "Resource": "*",
		65 |             "Effect": "Allow"
		66 |         },
		67 |         {
		68 |             "Action": [
		69 |                 "secretsmanager:GetSecretValue"
		70 |             ],
		71 |             "Resource": [
		72 |                 "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
		73 |             ],
		74 |             "Effect": "Allow"
		75 |         }
		76 |     ]
		77 | }
		78 | EOF
		79 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.smtp
	File: /ses.tf:57-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		57 | resource "aws_iam_user" "smtp" {
		58 |   name = "${local.application_name}-${local.application_data.accounts[local.environment].env_short}-user"
		59 |   tags = local.tags
		60 | }

Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
	FAILED for resource: aws_iam_user_policy.smtp_user
	File: /ses.tf:74-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1

		74 | resource "aws_iam_user_policy" "smtp_user" {
		75 |   name   = "AmazonSesSendingAccess"
		76 |   user   = aws_iam_user.smtp.name
		77 |   policy = data.aws_iam_policy_document.smtp_user.json
		78 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_user
	File: /ses.tf:82-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		82 | resource "aws_secretsmanager_secret" "smtp_user" {
		83 |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_USER"
		84 |   description = "IAM user access key for SMTP"
		85 |   tags = merge(
		86 |     local.tags,
		87 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_USER" }
		88 |   )
		89 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_password
	File: /ses.tf:96-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		96  | resource "aws_secretsmanager_secret" "smtp_password" {
		97  |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD"
		98  |   description = "IAM user access secret for SMTP"
		99  |   tags = merge(
		100 |     local.tags,
		101 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD" }
		102 |   )
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesans
	File: /ses.tf:110-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		110 | resource "aws_secretsmanager_secret" "smtp_sesans" {
		111 |   name        = "postfix/app/SESANS_MP"
		112 |   description = "Secret to pull from Ansible code from https://github.com/ministryofjustice/laa-aws-postfix-smtp"
		113 |   tags = merge(
		114 |     local.tags,
		115 |     { "Name" = "postfix/app/SESANS_MP" }
		116 |   )
		117 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsap
	File: /ses.tf:119-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		119 | resource "aws_secretsmanager_secret" "smtp_sesrsap" {
		120 |   name        = "postfix/app/SESRSAP"
		121 |   description = ""
		122 |   tags = merge(
		123 |     local.tags,
		124 |     { "Name" = "postfix/app/SESRSAP" }
		125 |   )
		126 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsa
	File: /ses.tf:128-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		128 | resource "aws_secretsmanager_secret" "smtp_sesrsa" {
		129 |   name        = "postfix/app/SESRSA"
		130 |   description = ""
		131 |   tags = merge(
		132 |     local.tags,
		133 |     { "Name" = "postfix/app/SESRSA" }
		134 |   )
		135 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.smtp_user
	File: /ses.tf:66-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "smtp_user" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["ses:SendRawEmail"]
		70 |     resources = ["*"]
		71 |   }
		72 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.smtp_user
	File: /ses.tf:66-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "smtp_user" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["ses:SendRawEmail"]
		70 |     resources = ["*"]
		71 |   }
		72 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   # depends_on = [
		67 |   #   aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   # ]
		69 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   # depends_on = [
		67 |   #   aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   # ]
		69 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   # depends_on = [
		67 |   #   aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   # ]
		69 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.smtp_outbound
	File: /smtp.tf:87-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		87 | resource "aws_vpc_security_group_egress_rule" "smtp_outbound" {
		88 |   security_group_id = aws_security_group.smtp.id
		89 |   cidr_ipv4         = "0.0.0.0/0"
		90 |   ip_protocol       = "-1"
		91 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_user
	File: /ses.tf:82-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		82 | resource "aws_secretsmanager_secret" "smtp_user" {
		83 |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_USER"
		84 |   description = "IAM user access key for SMTP"
		85 |   tags = merge(
		86 |     local.tags,
		87 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_USER" }
		88 |   )
		89 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_password
	File: /ses.tf:96-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		96  | resource "aws_secretsmanager_secret" "smtp_password" {
		97  |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD"
		98  |   description = "IAM user access secret for SMTP"
		99  |   tags = merge(
		100 |     local.tags,
		101 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD" }
		102 |   )
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesans
	File: /ses.tf:110-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		110 | resource "aws_secretsmanager_secret" "smtp_sesans" {
		111 |   name        = "postfix/app/SESANS_MP"
		112 |   description = "Secret to pull from Ansible code from https://github.com/ministryofjustice/laa-aws-postfix-smtp"
		113 |   tags = merge(
		114 |     local.tags,
		115 |     { "Name" = "postfix/app/SESANS_MP" }
		116 |   )
		117 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsap
	File: /ses.tf:119-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		119 | resource "aws_secretsmanager_secret" "smtp_sesrsap" {
		120 |   name        = "postfix/app/SESRSAP"
		121 |   description = ""
		122 |   tags = merge(
		123 |     local.tags,
		124 |     { "Name" = "postfix/app/SESRSAP" }
		125 |   )
		126 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsa
	File: /ses.tf:128-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		128 | resource "aws_secretsmanager_secret" "smtp_sesrsa" {
		129 |   name        = "postfix/app/SESRSA"
		130 |   description = ""
		131 |   tags = merge(
		132 |     local.tags,
		133 |     { "Name" = "postfix/app/SESRSA" }
		134 |   )
		135 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running tflint in terraform/environments/laa-mail-relay
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running Trivy in terraform/environments/laa-mail-relay
2025-01-16T17:58:07Z	INFO	[vulndb] Need to update DB
2025-01-16T17:58:07Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-16T17:58:07Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:58:09Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:58:09Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-16T17:58:09Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-16T17:58:09Z	INFO	[misconfig] Need to update the built-in checks
2025-01-16T17:58:09Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:58:10Z	INFO	[secret] Secret scanning is enabled
2025-01-16T17:58:10Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:58:10Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:58:11Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-16T17:58:11Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-16T17:58:11Z	INFO	Number of language-specific files	num=0
2025-01-16T17:58:11Z	INFO	Detected config files	num=3

smtp.tf (terraform)
===================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 smtp.tf:57
   via smtp.tf:56-58 (metadata_options)
    via smtp.tf:46-69 (aws_instance.smtp)
────────────────────────────────────────
  46   resource "aws_instance" "smtp" {
  ..   
  57 [     http_tokens = "optional"
  ..   
  69   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 smtp.tf:46-69
────────────────────────────────────────
  46resource "aws_instance" "smtp" {
  47 │   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
  48 │   availability_zone           = "eu-west-2a"
  49 │   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
  50 │   monitoring                  = true
  51 │   vpc_security_group_ids      = [aws_security_group.smtp.id]
  52 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
  53 │   iam_instance_profile        = aws_iam_instance_profile.smtp.id
  54 └   user_data_base64            = base64encode(local.smtp_userdata)
  ..   
────────────────────────────────────────


trivy_exitcode=1

ASTRobinson
ASTRobinson previously approved these changes Jan 17, 2025
@vc13837 vc13837 had a problem deploying to laa-mail-relay-development January 17, 2025 09:47 — with GitHub Actions Error
@vc13837 vc13837 temporarily deployed to laa-mail-relay-test January 17, 2025 10:03 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-mail-relay


Running Trivy in terraform/environments/laa-mail-relay
2025-01-17T10:18:19Z INFO [vulndb] Need to update DB
2025-01-17T10:18:19Z INFO [vulndb] Downloading vulnerability DB...
2025-01-17T10:18:19Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T10:18:21Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T10:18:21Z INFO [vuln] Vulnerability scanning is enabled
2025-01-17T10:18:21Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-17T10:18:21Z INFO [misconfig] Need to update the built-in checks
2025-01-17T10:18:21Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-17T10:18:21Z INFO [secret] Secret scanning is enabled
2025-01-17T10:18:21Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-17T10:18:21Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-17T10:18:22Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-17T10:18:22Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-17T10:18:22Z INFO Number of language-specific files num=0
2025-01-17T10:18:22Z INFO Detected config files num=3

smtp.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
smtp.tf:57
via smtp.tf:56-58 (metadata_options)
via smtp.tf:46-69 (aws_instance.smtp)
────────────────────────────────────────
46 resource "aws_instance" "smtp" {
..
57 [ http_tokens = "optional"
..
69 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
smtp.tf:46-69
────────────────────────────────────────
46 ┌ resource "aws_instance" "smtp" {
47 │ ami = local.application_data.accounts[local.environment].smtp_ami_id
48 │ availability_zone = "eu-west-2a"
49 │ instance_type = local.application_data.accounts[local.environment].smtp_instance_type
50 │ monitoring = true
51 │ vpc_security_group_ids = [aws_security_group.smtp.id]
52 │ subnet_id = data.aws_subnet.data_subnets_a.id
53 │ iam_instance_profile = aws_iam_instance_profile.smtp.id
54 └ user_data_base64 = base64encode(local.smtp_userdata)
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running Checkov in terraform/environments/laa-mail-relay
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 51, Failed checks: 20, Skipped checks: 0

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.smtp
	File: /ec2_iam_profile.tf:43-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		43 | resource "aws_iam_policy" "smtp" {
		44 |   name = "${local.application_name}-iam-policy"
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "${local.application_name}-iam-policy"
		49 |     }
		50 |   )
		51 |   policy = <<EOF
		52 | {
		53 |     "Version" : "2012-10-17",
		54 |     "Statement": [
		55 |         {
		56 |             "Action": [
		57 |                 "logs:CreateLogGroup",
		58 |                 "logs:CreateLogStream",
		59 |                 "logs:DescribeLogStreams",
		60 |                 "logs:PutRetentionPolicy",
		61 |                 "logs:PutLogEvents",
		62 |                 "ec2:DescribeInstances"
		63 |             ],
		64 |             "Resource": "*",
		65 |             "Effect": "Allow"
		66 |         },
		67 |         {
		68 |             "Action": [
		69 |                 "secretsmanager:GetSecretValue"
		70 |             ],
		71 |             "Resource": [
		72 |                 "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
		73 |             ],
		74 |             "Effect": "Allow"
		75 |         }
		76 |     ]
		77 | }
		78 | EOF
		79 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.smtp
	File: /ec2_iam_profile.tf:43-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		43 | resource "aws_iam_policy" "smtp" {
		44 |   name = "${local.application_name}-iam-policy"
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "${local.application_name}-iam-policy"
		49 |     }
		50 |   )
		51 |   policy = <<EOF
		52 | {
		53 |     "Version" : "2012-10-17",
		54 |     "Statement": [
		55 |         {
		56 |             "Action": [
		57 |                 "logs:CreateLogGroup",
		58 |                 "logs:CreateLogStream",
		59 |                 "logs:DescribeLogStreams",
		60 |                 "logs:PutRetentionPolicy",
		61 |                 "logs:PutLogEvents",
		62 |                 "ec2:DescribeInstances"
		63 |             ],
		64 |             "Resource": "*",
		65 |             "Effect": "Allow"
		66 |         },
		67 |         {
		68 |             "Action": [
		69 |                 "secretsmanager:GetSecretValue"
		70 |             ],
		71 |             "Resource": [
		72 |                 "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
		73 |             ],
		74 |             "Effect": "Allow"
		75 |         }
		76 |     ]
		77 | }
		78 | EOF
		79 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.smtp
	File: /ses.tf:57-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		57 | resource "aws_iam_user" "smtp" {
		58 |   name = "${local.application_name}-${local.application_data.accounts[local.environment].env_short}-user"
		59 |   tags = local.tags
		60 | }

Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
	FAILED for resource: aws_iam_user_policy.smtp_user
	File: /ses.tf:74-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1

		74 | resource "aws_iam_user_policy" "smtp_user" {
		75 |   name   = "AmazonSesSendingAccess"
		76 |   user   = aws_iam_user.smtp.name
		77 |   policy = data.aws_iam_policy_document.smtp_user.json
		78 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_user
	File: /ses.tf:82-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		82 | resource "aws_secretsmanager_secret" "smtp_user" {
		83 |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_USER"
		84 |   description = "IAM user access key for SMTP"
		85 |   tags = merge(
		86 |     local.tags,
		87 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_USER" }
		88 |   )
		89 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_password
	File: /ses.tf:96-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		96  | resource "aws_secretsmanager_secret" "smtp_password" {
		97  |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD"
		98  |   description = "IAM user access secret for SMTP"
		99  |   tags = merge(
		100 |     local.tags,
		101 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD" }
		102 |   )
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesans
	File: /ses.tf:110-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		110 | resource "aws_secretsmanager_secret" "smtp_sesans" {
		111 |   name        = "postfix/app/SESANS_MP"
		112 |   description = "Secret to pull from Ansible code from https://github.com/ministryofjustice/laa-aws-postfix-smtp"
		113 |   tags = merge(
		114 |     local.tags,
		115 |     { "Name" = "postfix/app/SESANS_MP" }
		116 |   )
		117 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsap
	File: /ses.tf:119-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		119 | resource "aws_secretsmanager_secret" "smtp_sesrsap" {
		120 |   name        = "postfix/app/SESRSAP"
		121 |   description = ""
		122 |   tags = merge(
		123 |     local.tags,
		124 |     { "Name" = "postfix/app/SESRSAP" }
		125 |   )
		126 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsa
	File: /ses.tf:128-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		128 | resource "aws_secretsmanager_secret" "smtp_sesrsa" {
		129 |   name        = "postfix/app/SESRSA"
		130 |   description = ""
		131 |   tags = merge(
		132 |     local.tags,
		133 |     { "Name" = "postfix/app/SESRSA" }
		134 |   )
		135 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.smtp_user
	File: /ses.tf:66-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "smtp_user" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["ses:SendRawEmail"]
		70 |     resources = ["*"]
		71 |   }
		72 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.smtp_user
	File: /ses.tf:66-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "smtp_user" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["ses:SendRawEmail"]
		70 |     resources = ["*"]
		71 |   }
		72 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.smtp_outbound
	File: /smtp.tf:87-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		87 | resource "aws_vpc_security_group_egress_rule" "smtp_outbound" {
		88 |   security_group_id = aws_security_group.smtp.id
		89 |   cidr_ipv4         = "0.0.0.0/0"
		90 |   ip_protocol       = "-1"
		91 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_user
	File: /ses.tf:82-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		82 | resource "aws_secretsmanager_secret" "smtp_user" {
		83 |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_USER"
		84 |   description = "IAM user access key for SMTP"
		85 |   tags = merge(
		86 |     local.tags,
		87 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_USER" }
		88 |   )
		89 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_password
	File: /ses.tf:96-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		96  | resource "aws_secretsmanager_secret" "smtp_password" {
		97  |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD"
		98  |   description = "IAM user access secret for SMTP"
		99  |   tags = merge(
		100 |     local.tags,
		101 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD" }
		102 |   )
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesans
	File: /ses.tf:110-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		110 | resource "aws_secretsmanager_secret" "smtp_sesans" {
		111 |   name        = "postfix/app/SESANS_MP"
		112 |   description = "Secret to pull from Ansible code from https://github.com/ministryofjustice/laa-aws-postfix-smtp"
		113 |   tags = merge(
		114 |     local.tags,
		115 |     { "Name" = "postfix/app/SESANS_MP" }
		116 |   )
		117 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsap
	File: /ses.tf:119-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		119 | resource "aws_secretsmanager_secret" "smtp_sesrsap" {
		120 |   name        = "postfix/app/SESRSAP"
		121 |   description = ""
		122 |   tags = merge(
		123 |     local.tags,
		124 |     { "Name" = "postfix/app/SESRSAP" }
		125 |   )
		126 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsa
	File: /ses.tf:128-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		128 | resource "aws_secretsmanager_secret" "smtp_sesrsa" {
		129 |   name        = "postfix/app/SESRSA"
		130 |   description = ""
		131 |   tags = merge(
		132 |     local.tags,
		133 |     { "Name" = "postfix/app/SESRSA" }
		134 |   )
		135 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running tflint in terraform/environments/laa-mail-relay
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running Trivy in terraform/environments/laa-mail-relay
2025-01-17T10:18:19Z	INFO	[vulndb] Need to update DB
2025-01-17T10:18:19Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-17T10:18:19Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T10:18:21Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T10:18:21Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-17T10:18:21Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-17T10:18:21Z	INFO	[misconfig] Need to update the built-in checks
2025-01-17T10:18:21Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-17T10:18:21Z	INFO	[secret] Secret scanning is enabled
2025-01-17T10:18:21Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-17T10:18:21Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-17T10:18:22Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-17T10:18:22Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-17T10:18:22Z	INFO	Number of language-specific files	num=0
2025-01-17T10:18:22Z	INFO	Detected config files	num=3

smtp.tf (terraform)
===================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 smtp.tf:57
   via smtp.tf:56-58 (metadata_options)
    via smtp.tf:46-69 (aws_instance.smtp)
────────────────────────────────────────
  46   resource "aws_instance" "smtp" {
  ..   
  57 [     http_tokens = "optional"
  ..   
  69   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 smtp.tf:46-69
────────────────────────────────────────
  46resource "aws_instance" "smtp" {
  47 │   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
  48 │   availability_zone           = "eu-west-2a"
  49 │   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
  50 │   monitoring                  = true
  51 │   vpc_security_group_ids      = [aws_security_group.smtp.id]
  52 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
  53 │   iam_instance_profile        = aws_iam_instance_profile.smtp.id
  54 └   user_data_base64            = base64encode(local.smtp_userdata)
  ..   
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@vc13837 Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/laa-mail-relay


Running Trivy in terraform/environments/laa-mail-relay
2025-01-17T10:20:39Z INFO [vulndb] Need to update DB
2025-01-17T10:20:39Z INFO [vulndb] Downloading vulnerability DB...
2025-01-17T10:20:39Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T10:20:42Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T10:20:42Z INFO [vuln] Vulnerability scanning is enabled
2025-01-17T10:20:42Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-17T10:20:42Z INFO [misconfig] Need to update the built-in checks
2025-01-17T10:20:42Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-17T10:20:42Z INFO [secret] Secret scanning is enabled
2025-01-17T10:20:42Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-17T10:20:42Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-17T10:20:43Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-17T10:20:43Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-17T10:20:43Z INFO Number of language-specific files num=0
2025-01-17T10:20:43Z INFO Detected config files num=3

smtp.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
smtp.tf:57
via smtp.tf:56-58 (metadata_options)
via smtp.tf:46-69 (aws_instance.smtp)
────────────────────────────────────────
46 resource "aws_instance" "smtp" {
..
57 [ http_tokens = "optional"
..
69 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
smtp.tf:46-69
────────────────────────────────────────
46 ┌ resource "aws_instance" "smtp" {
47 │ ami = local.application_data.accounts[local.environment].smtp_ami_id
48 │ availability_zone = "eu-west-2a"
49 │ instance_type = local.application_data.accounts[local.environment].smtp_instance_type
50 │ monitoring = true
51 │ vpc_security_group_ids = [aws_security_group.smtp.id]
52 │ subnet_id = data.aws_subnet.data_subnets_a.id
53 │ iam_instance_profile = aws_iam_instance_profile.smtp.id
54 └ user_data_base64 = base64encode(local.smtp_userdata)
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running Checkov in terraform/environments/laa-mail-relay
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 52, Failed checks: 20, Skipped checks: 0

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.smtp
	File: /ec2_iam_profile.tf:43-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		43 | resource "aws_iam_policy" "smtp" {
		44 |   name = "${local.application_name}-iam-policy"
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "${local.application_name}-iam-policy"
		49 |     }
		50 |   )
		51 |   policy = <<EOF
		52 | {
		53 |     "Version" : "2012-10-17",
		54 |     "Statement": [
		55 |         {
		56 |             "Action": [
		57 |                 "logs:CreateLogGroup",
		58 |                 "logs:CreateLogStream",
		59 |                 "logs:DescribeLogStreams",
		60 |                 "logs:PutRetentionPolicy",
		61 |                 "logs:PutLogEvents",
		62 |                 "ec2:DescribeInstances"
		63 |             ],
		64 |             "Resource": "*",
		65 |             "Effect": "Allow"
		66 |         },
		67 |         {
		68 |             "Action": [
		69 |                 "secretsmanager:GetSecretValue"
		70 |             ],
		71 |             "Resource": [
		72 |                 "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
		73 |             ],
		74 |             "Effect": "Allow"
		75 |         }
		76 |     ]
		77 | }
		78 | EOF
		79 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.smtp
	File: /ec2_iam_profile.tf:43-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		43 | resource "aws_iam_policy" "smtp" {
		44 |   name = "${local.application_name}-iam-policy"
		45 |   tags = merge(
		46 |     local.tags,
		47 |     {
		48 |       Name = "${local.application_name}-iam-policy"
		49 |     }
		50 |   )
		51 |   policy = <<EOF
		52 | {
		53 |     "Version" : "2012-10-17",
		54 |     "Statement": [
		55 |         {
		56 |             "Action": [
		57 |                 "logs:CreateLogGroup",
		58 |                 "logs:CreateLogStream",
		59 |                 "logs:DescribeLogStreams",
		60 |                 "logs:PutRetentionPolicy",
		61 |                 "logs:PutLogEvents",
		62 |                 "ec2:DescribeInstances"
		63 |             ],
		64 |             "Resource": "*",
		65 |             "Effect": "Allow"
		66 |         },
		67 |         {
		68 |             "Action": [
		69 |                 "secretsmanager:GetSecretValue"
		70 |             ],
		71 |             "Resource": [
		72 |                 "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
		73 |             ],
		74 |             "Effect": "Allow"
		75 |         }
		76 |     ]
		77 | }
		78 | EOF
		79 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.smtp_user
	File: /ses.tf:66-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "smtp_user" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["ses:SendRawEmail"]
		70 |     resources = ["*"]
		71 |   }
		72 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.smtp_user
	File: /ses.tf:66-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "smtp_user" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["ses:SendRawEmail"]
		70 |     resources = ["*"]
		71 |   }
		72 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.smtp
	File: /ses.tf:57-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		57 | resource "aws_iam_user" "smtp" {
		58 |   name = "${local.application_name}-${local.application_data.accounts[local.environment].env_short}-user"
		59 |   tags = local.tags
		60 | }

Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
	FAILED for resource: aws_iam_user_policy.smtp_user
	File: /ses.tf:74-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1

		74 | resource "aws_iam_user_policy" "smtp_user" {
		75 |   name   = "AmazonSesSendingAccess"
		76 |   user   = aws_iam_user.smtp.name
		77 |   policy = data.aws_iam_policy_document.smtp_user.json
		78 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_user
	File: /ses.tf:82-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		82 | resource "aws_secretsmanager_secret" "smtp_user" {
		83 |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_USER"
		84 |   description = "IAM user access key for SMTP"
		85 |   tags = merge(
		86 |     local.tags,
		87 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_USER" }
		88 |   )
		89 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_password
	File: /ses.tf:96-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		96  | resource "aws_secretsmanager_secret" "smtp_password" {
		97  |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD"
		98  |   description = "IAM user access secret for SMTP"
		99  |   tags = merge(
		100 |     local.tags,
		101 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD" }
		102 |   )
		103 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesans
	File: /ses.tf:110-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		110 | resource "aws_secretsmanager_secret" "smtp_sesans" {
		111 |   name        = "postfix/app/SESANS_MP"
		112 |   description = "Secret to pull from Ansible code from https://github.com/ministryofjustice/laa-aws-postfix-smtp"
		113 |   tags = merge(
		114 |     local.tags,
		115 |     { "Name" = "postfix/app/SESANS_MP" }
		116 |   )
		117 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsap
	File: /ses.tf:119-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		119 | resource "aws_secretsmanager_secret" "smtp_sesrsap" {
		120 |   name        = "postfix/app/SESRSAP"
		121 |   description = ""
		122 |   tags = merge(
		123 |     local.tags,
		124 |     { "Name" = "postfix/app/SESRSAP" }
		125 |   )
		126 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsa
	File: /ses.tf:128-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		128 | resource "aws_secretsmanager_secret" "smtp_sesrsa" {
		129 |   name        = "postfix/app/SESRSA"
		130 |   description = ""
		131 |   tags = merge(
		132 |     local.tags,
		133 |     { "Name" = "postfix/app/SESRSA" }
		134 |   )
		135 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.smtp
	File: /smtp.tf:46-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		46 | resource "aws_instance" "smtp" {
		47 |   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
		48 |   availability_zone           = "eu-west-2a"
		49 |   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
		50 |   monitoring                  = true
		51 |   vpc_security_group_ids      = [aws_security_group.smtp.id]
		52 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		53 |   iam_instance_profile        = aws_iam_instance_profile.smtp.id
		54 |   user_data_base64            = base64encode(local.smtp_userdata)
		55 |   user_data_replace_on_change = true
		56 |   metadata_options {
		57 |     http_tokens = "optional"
		58 |   }
		59 | 
		60 |   tags = merge(
		61 |     { "instance-scheduling" = "skip-scheduling" },
		62 |     local.tags,
		63 |     { "Name" = "${local.application_name}-${local.environment}" }
		64 |   )
		65 | 
		66 |   depends_on = [
		67 |     aws_secretsmanager_secret_version.smtp_user, aws_secretsmanager_secret_version.smtp_password
		68 |   ]
		69 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.smtp_outbound
	File: /smtp.tf:87-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		87 | resource "aws_vpc_security_group_egress_rule" "smtp_outbound" {
		88 |   security_group_id = aws_security_group.smtp.id
		89 |   cidr_ipv4         = "0.0.0.0/0"
		90 |   ip_protocol       = "-1"
		91 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_user
	File: /ses.tf:82-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		82 | resource "aws_secretsmanager_secret" "smtp_user" {
		83 |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_USER"
		84 |   description = "IAM user access key for SMTP"
		85 |   tags = merge(
		86 |     local.tags,
		87 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_USER" }
		88 |   )
		89 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_password
	File: /ses.tf:96-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		96  | resource "aws_secretsmanager_secret" "smtp_password" {
		97  |   name        = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD"
		98  |   description = "IAM user access secret for SMTP"
		99  |   tags = merge(
		100 |     local.tags,
		101 |     { "Name" = "postfix/app/APP_DATA_MIGRATION_SMTP_PASSWORD" }
		102 |   )
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesans
	File: /ses.tf:110-117
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		110 | resource "aws_secretsmanager_secret" "smtp_sesans" {
		111 |   name        = "postfix/app/SESANS_MP"
		112 |   description = "Secret to pull from Ansible code from https://github.com/ministryofjustice/laa-aws-postfix-smtp"
		113 |   tags = merge(
		114 |     local.tags,
		115 |     { "Name" = "postfix/app/SESANS_MP" }
		116 |   )
		117 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsap
	File: /ses.tf:119-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		119 | resource "aws_secretsmanager_secret" "smtp_sesrsap" {
		120 |   name        = "postfix/app/SESRSAP"
		121 |   description = ""
		122 |   tags = merge(
		123 |     local.tags,
		124 |     { "Name" = "postfix/app/SESRSAP" }
		125 |   )
		126 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.smtp_sesrsa
	File: /ses.tf:128-135
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		128 | resource "aws_secretsmanager_secret" "smtp_sesrsa" {
		129 |   name        = "postfix/app/SESRSA"
		130 |   description = ""
		131 |   tags = merge(
		132 |     local.tags,
		133 |     { "Name" = "postfix/app/SESRSA" }
		134 |   )
		135 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running tflint in terraform/environments/laa-mail-relay
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/laa-mail-relay

*****************************

Running Trivy in terraform/environments/laa-mail-relay
2025-01-17T10:20:39Z	INFO	[vulndb] Need to update DB
2025-01-17T10:20:39Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-17T10:20:39Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T10:20:42Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T10:20:42Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-17T10:20:42Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-17T10:20:42Z	INFO	[misconfig] Need to update the built-in checks
2025-01-17T10:20:42Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-17T10:20:42Z	INFO	[secret] Secret scanning is enabled
2025-01-17T10:20:42Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-17T10:20:42Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-17T10:20:43Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-17T10:20:43Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-17T10:20:43Z	INFO	Number of language-specific files	num=0
2025-01-17T10:20:43Z	INFO	Detected config files	num=3

smtp.tf (terraform)
===================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 smtp.tf:57
   via smtp.tf:56-58 (metadata_options)
    via smtp.tf:46-69 (aws_instance.smtp)
────────────────────────────────────────
  46   resource "aws_instance" "smtp" {
  ..   
  57 [     http_tokens = "optional"
  ..   
  69   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 smtp.tf:46-69
────────────────────────────────────────
  46resource "aws_instance" "smtp" {
  47 │   ami                         = local.application_data.accounts[local.environment].smtp_ami_id
  48 │   availability_zone           = "eu-west-2a"
  49 │   instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
  50 │   monitoring                  = true
  51 │   vpc_security_group_ids      = [aws_security_group.smtp.id]
  52 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
  53 │   iam_instance_profile        = aws_iam_instance_profile.smtp.id
  54 └   user_data_base64            = base64encode(local.smtp_userdata)
  ..   
────────────────────────────────────────


trivy_exitcode=1

@dms1981 dms1981 requested a review from a team January 17, 2025 12:42
@dms1981 dms1981 dismissed modernisation-platform-ci’s stale review January 17, 2025 12:43

Reviewed by MP team member

@vc13837 vc13837 deployed to laa-mail-relay-test January 17, 2025 12:45 — with GitHub Actions Active
@vc13837 vc13837 had a problem deploying to laa-mail-relay-development January 17, 2025 12:50 — with GitHub Actions Failure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants