Enable AWS Backup Vault lock #495

ep-93 · 2024-06-24T14:26:18Z

Governance mode vs Compliance mode. Will discuss in stand up. - We decided on Governance mode

A vault locked in Governance mode can be managed or deleted by users who have the appropriate IAM permissions. A vault lock in Compliance mode cannot be altered or deleted by any user or by AWS

ministryofjustice/modernisation-platform#7265

Enables aws backup vault lock. It has been tested in cooker.

`
Ive added a filter so it will only deploy changes in production. This step needs to go in first, before step 2

ministryofjustice/modernisation-platform#7361

I have added this line so that resources are only built in production, and in eu-west-2

count = (local.is_production && data.aws_region.current.name == "eu-west-2") ? 1 : 0

I have also changed the backup notifications to use the correct KMS key, and only build in the correct region.

github-actions · 2024-06-24T14:28:33Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup

Running Trivy in modules/backup
2024-06-24T14:28:22Z INFO Need to update DB
2024-06-24T14:28:22Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-24T14:28:25Z INFO Vulnerability scanning is enabled
2024-06-24T14:28:25Z INFO Misconfiguration scanning is enabled
2024-06-24T14:28:25Z INFO Need to update the built-in policies
2024-06-24T14:28:25Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-24T14:28:25Z INFO Secret scanning is enabled
2024-06-24T14:28:25Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-24T14:28:25Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-24T14:28:26Z INFO Number of language-specific files num=0
2024-06-24T14:28:26Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup

*****************************

Running Trivy in modules/backup
2024-06-24T14:28:22Z	INFO	Need to update DB
2024-06-24T14:28:22Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-24T14:28:25Z	INFO	Vulnerability scanning is enabled
2024-06-24T14:28:25Z	INFO	Misconfiguration scanning is enabled
2024-06-24T14:28:25Z	INFO	Need to update the built-in policies
2024-06-24T14:28:25Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-24T14:28:25Z	INFO	Secret scanning is enabled
2024-06-24T14:28:25Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-24T14:28:25Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-24T14:28:26Z	INFO	Number of language-specific files	num=0
2024-06-24T14:28:26Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-06-24T15:00:41Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup

Running Trivy in modules/backup
2024-06-24T15:00:31Z INFO Need to update DB
2024-06-24T15:00:31Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-24T15:00:33Z INFO Vulnerability scanning is enabled
2024-06-24T15:00:33Z INFO Misconfiguration scanning is enabled
2024-06-24T15:00:33Z INFO Need to update the built-in policies
2024-06-24T15:00:33Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-24T15:00:34Z INFO Secret scanning is enabled
2024-06-24T15:00:34Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-24T15:00:34Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-24T15:00:34Z INFO Number of language-specific files num=0
2024-06-24T15:00:34Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup

*****************************

Running Trivy in modules/backup
2024-06-24T15:00:31Z	INFO	Need to update DB
2024-06-24T15:00:31Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-24T15:00:33Z	INFO	Vulnerability scanning is enabled
2024-06-24T15:00:33Z	INFO	Misconfiguration scanning is enabled
2024-06-24T15:00:33Z	INFO	Need to update the built-in policies
2024-06-24T15:00:33Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-24T15:00:34Z	INFO	Secret scanning is enabled
2024-06-24T15:00:34Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-24T15:00:34Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-24T15:00:34Z	INFO	Number of language-specific files	num=0
2024-06-24T15:00:34Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-06-24T15:35:26Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup

Running Trivy in modules/backup
2024-06-24T15:35:19Z INFO Need to update DB
2024-06-24T15:35:19Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-24T15:35:21Z INFO Vulnerability scanning is enabled
2024-06-24T15:35:21Z INFO Misconfiguration scanning is enabled
2024-06-24T15:35:21Z INFO Need to update the built-in policies
2024-06-24T15:35:21Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-24T15:35:21Z INFO Secret scanning is enabled
2024-06-24T15:35:21Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-24T15:35:21Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-24T15:35:22Z INFO Number of language-specific files num=0
2024-06-24T15:35:22Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 2, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup

*****************************

Running Trivy in modules/backup
2024-06-24T15:35:19Z	INFO	Need to update DB
2024-06-24T15:35:19Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-24T15:35:21Z	INFO	Vulnerability scanning is enabled
2024-06-24T15:35:21Z	INFO	Misconfiguration scanning is enabled
2024-06-24T15:35:21Z	INFO	Need to update the built-in policies
2024-06-24T15:35:21Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-24T15:35:21Z	INFO	Secret scanning is enabled
2024-06-24T15:35:21Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-24T15:35:21Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-24T15:35:22Z	INFO	Number of language-specific files	num=0
2024-06-24T15:35:22Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-06-26T09:28:09Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup

Running Trivy in modules/backup
2024-06-26T09:28:01Z INFO Need to update DB
2024-06-26T09:28:01Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-26T09:28:03Z INFO Vulnerability scanning is enabled
2024-06-26T09:28:03Z INFO Misconfiguration scanning is enabled
2024-06-26T09:28:03Z INFO Need to update the built-in policies
2024-06-26T09:28:03Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-26T09:28:04Z INFO Secret scanning is enabled
2024-06-26T09:28:04Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T09:28:04Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T09:28:04Z INFO Number of language-specific files num=0
2024-06-26T09:28:04Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 2, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup

*****************************

Running Trivy in modules/backup
2024-06-26T09:28:01Z	INFO	Need to update DB
2024-06-26T09:28:01Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-26T09:28:03Z	INFO	Vulnerability scanning is enabled
2024-06-26T09:28:03Z	INFO	Misconfiguration scanning is enabled
2024-06-26T09:28:03Z	INFO	Need to update the built-in policies
2024-06-26T09:28:03Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-26T09:28:04Z	INFO	Secret scanning is enabled
2024-06-26T09:28:04Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T09:28:04Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T09:28:04Z	INFO	Number of language-specific files	num=0
2024-06-26T09:28:04Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-06-26T15:26:01Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup

Running Trivy in modules/backup
2024-06-26T15:25:54Z INFO Need to update DB
2024-06-26T15:25:54Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-26T15:25:56Z INFO Vulnerability scanning is enabled
2024-06-26T15:25:56Z INFO Misconfiguration scanning is enabled
2024-06-26T15:25:56Z INFO Need to update the built-in policies
2024-06-26T15:25:56Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-26T15:25:57Z INFO Secret scanning is enabled
2024-06-26T15:25:57Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:25:57Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:25:57Z INFO Number of language-specific files num=0
2024-06-26T15:25:57Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 2, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup

*****************************

Running Trivy in modules/backup
2024-06-26T15:25:54Z	INFO	Need to update DB
2024-06-26T15:25:54Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-26T15:25:56Z	INFO	Vulnerability scanning is enabled
2024-06-26T15:25:56Z	INFO	Misconfiguration scanning is enabled
2024-06-26T15:25:56Z	INFO	Need to update the built-in policies
2024-06-26T15:25:56Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-26T15:25:57Z	INFO	Secret scanning is enabled
2024-06-26T15:25:57Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:25:57Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:25:57Z	INFO	Number of language-specific files	num=0
2024-06-26T15:25:57Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-06-27T13:23:42Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup

Running Trivy in modules/backup
2024-06-27T13:23:35Z INFO Need to update DB
2024-06-27T13:23:35Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T13:23:37Z INFO Vulnerability scanning is enabled
2024-06-27T13:23:37Z INFO Misconfiguration scanning is enabled
2024-06-27T13:23:37Z INFO Need to update the built-in policies
2024-06-27T13:23:37Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T13:23:37Z INFO Secret scanning is enabled
2024-06-27T13:23:37Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T13:23:37Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T13:23:37Z INFO Number of language-specific files num=0
2024-06-27T13:23:37Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 2, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup

*****************************

Running Trivy in modules/backup
2024-06-27T13:23:35Z	INFO	Need to update DB
2024-06-27T13:23:35Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T13:23:37Z	INFO	Vulnerability scanning is enabled
2024-06-27T13:23:37Z	INFO	Misconfiguration scanning is enabled
2024-06-27T13:23:37Z	INFO	Need to update the built-in policies
2024-06-27T13:23:37Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T13:23:37Z	INFO	Secret scanning is enabled
2024-06-27T13:23:37Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T13:23:37Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T13:23:37Z	INFO	Number of language-specific files	num=0
2024-06-27T13:23:37Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-06-27T13:29:38Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup

Running Trivy in modules/backup
2024-06-27T13:29:31Z INFO Need to update DB
2024-06-27T13:29:31Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T13:29:33Z INFO Vulnerability scanning is enabled
2024-06-27T13:29:33Z INFO Misconfiguration scanning is enabled
2024-06-27T13:29:33Z INFO Need to update the built-in policies
2024-06-27T13:29:33Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T13:29:33Z INFO Secret scanning is enabled
2024-06-27T13:29:33Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T13:29:33Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T13:29:33Z INFO Number of language-specific files num=0
2024-06-27T13:29:33Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 2, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup

*****************************

Running Trivy in modules/backup
2024-06-27T13:29:31Z	INFO	Need to update DB
2024-06-27T13:29:31Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T13:29:33Z	INFO	Vulnerability scanning is enabled
2024-06-27T13:29:33Z	INFO	Misconfiguration scanning is enabled
2024-06-27T13:29:33Z	INFO	Need to update the built-in policies
2024-06-27T13:29:33Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T13:29:33Z	INFO	Secret scanning is enabled
2024-06-27T13:29:33Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T13:29:33Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T13:29:33Z	INFO	Number of language-specific files	num=0
2024-06-27T13:29:33Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-06-27T13:31:29Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup

Running Trivy in modules/backup
2024-06-27T13:31:22Z INFO Need to update DB
2024-06-27T13:31:22Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T13:31:24Z INFO Vulnerability scanning is enabled
2024-06-27T13:31:24Z INFO Misconfiguration scanning is enabled
2024-06-27T13:31:24Z INFO Need to update the built-in policies
2024-06-27T13:31:24Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T13:31:24Z INFO Secret scanning is enabled
2024-06-27T13:31:24Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T13:31:24Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T13:31:25Z INFO Number of language-specific files num=0
2024-06-27T13:31:25Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 2, Failed checks: 0, Skipped checks: 1


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup

*****************************

Running Trivy in modules/backup
2024-06-27T13:31:22Z	INFO	Need to update DB
2024-06-27T13:31:22Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-27T13:31:24Z	INFO	Vulnerability scanning is enabled
2024-06-27T13:31:24Z	INFO	Misconfiguration scanning is enabled
2024-06-27T13:31:24Z	INFO	Need to update the built-in policies
2024-06-27T13:31:24Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-27T13:31:24Z	INFO	Secret scanning is enabled
2024-06-27T13:31:24Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T13:31:24Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T13:31:25Z	INFO	Number of language-specific files	num=0
2024-06-27T13:31:25Z	INFO	Detected config files	num=2
trivy_exitcode=0

modules/backup/main.tf

… time. My cool filter for production is causing the testing issues, I'll fix it tomorrow

…kup is in

ep-93 · 2024-07-02T07:57:34Z

modules/backup/main.tf

@@ -116,7 +146,7 @@ resource "aws_backup_selection" "non_production" {
 # SNS topic
 # trivy:ignore:avd-aws-0136
 resource "aws_sns_topic" "backup_failure_topic" {
-  kms_master_key_id = var.sns_backup_topic_key
+  kms_master_key_id = local.kms_master_key_id


Changed, so that we actually get failure notifications now.

github-actions · 2024-07-02T08:16:23Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup test/backup-test

Running Trivy in modules/backup
2024-07-02T08:16:07Z INFO Need to update DB
2024-07-02T08:16:07Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-02T08:16:10Z INFO Vulnerability scanning is enabled
2024-07-02T08:16:10Z INFO Misconfiguration scanning is enabled
2024-07-02T08:16:10Z INFO Need to update the built-in policies
2024-07-02T08:16:10Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-02T08:16:10Z INFO Secret scanning is enabled
2024-07-02T08:16:10Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:16:10Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:16:11Z INFO Number of language-specific files num=0
2024-07-02T08:16:11Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in test/backup-test
2024-07-02T08:16:11Z INFO Vulnerability scanning is enabled
2024-07-02T08:16:11Z INFO Misconfiguration scanning is enabled
2024-07-02T08:16:11Z INFO Secret scanning is enabled
2024-07-02T08:16:11Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:16:11Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:16:12Z INFO Number of language-specific files num=0
2024-07-02T08:16:12Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup test/backup-test

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 0, Failed checks: 2, Skipped checks: 1

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.backup_vault_topic
	File: /main.tf:17-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "backup_vault_topic" {
		18 |   count = (local.is_production && data.aws_region.current.name == "eu-west-2") ? 1 : 0
		19 |   kms_master_key_id = local.kms_master_key_id
		20 |   name              = var.backup_vault_lock_sns_topic_name
		21 |   tags = merge(var.tags, {
		22 |     Description = "This backup topic is so the MP team can subscribe to backup vault lock being turned off and member accounts can create their own subscriptions"
		23 |   })
		24 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.backup_failure_topic
	File: /main.tf:148-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		148 | resource "aws_sns_topic" "backup_failure_topic" {
		149 |   kms_master_key_id = local.kms_master_key_id
		150 |   name              = var.backup_aws_sns_topic_name
		151 |   tags = merge(var.tags, {
		152 |     Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
		153 |   })
		154 | }


checkov_exitcode=1

*****************************

Running Checkov in test/backup-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 1

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.backup-test.aws_sns_topic.backup_vault_topic
	File: /../../modules/backup/main.tf:17-24
	Calling File: /main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "backup_vault_topic" {
		18 |   count = (local.is_production && data.aws_region.current.name == "eu-west-2") ? 1 : 0
		19 |   kms_master_key_id = local.kms_master_key_id
		20 |   name              = var.backup_vault_lock_sns_topic_name
		21 |   tags = merge(var.tags, {
		22 |     Description = "This backup topic is so the MP team can subscribe to backup vault lock being turned off and member accounts can create their own subscriptions"
		23 |   })
		24 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.backup-test.aws_sns_topic.backup_failure_topic
	File: /../../modules/backup/main.tf:148-154
	Calling File: /main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		148 | resource "aws_sns_topic" "backup_failure_topic" {
		149 |   kms_master_key_id = local.kms_master_key_id
		150 |   name              = var.backup_aws_sns_topic_name
		151 |   tags = merge(var.tags, {
		152 |     Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
		153 |   })
		154 | }


checkov_exitcode=2

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup test/backup-test

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/backup-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup test/backup-test

*****************************

Running Trivy in modules/backup
2024-07-02T08:16:07Z	INFO	Need to update DB
2024-07-02T08:16:07Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-02T08:16:10Z	INFO	Vulnerability scanning is enabled
2024-07-02T08:16:10Z	INFO	Misconfiguration scanning is enabled
2024-07-02T08:16:10Z	INFO	Need to update the built-in policies
2024-07-02T08:16:10Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-02T08:16:10Z	INFO	Secret scanning is enabled
2024-07-02T08:16:10Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:16:10Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:16:11Z	INFO	Number of language-specific files	num=0
2024-07-02T08:16:11Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in test/backup-test
2024-07-02T08:16:11Z	INFO	Vulnerability scanning is enabled
2024-07-02T08:16:11Z	INFO	Misconfiguration scanning is enabled
2024-07-02T08:16:11Z	INFO	Secret scanning is enabled
2024-07-02T08:16:11Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:16:11Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:16:12Z	INFO	Number of language-specific files	num=0
2024-07-02T08:16:12Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-07-02T08:17:34Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup test/backup-test

Running Trivy in modules/backup
2024-07-02T08:17:19Z INFO Need to update DB
2024-07-02T08:17:19Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-02T08:17:21Z INFO Vulnerability scanning is enabled
2024-07-02T08:17:21Z INFO Misconfiguration scanning is enabled
2024-07-02T08:17:21Z INFO Need to update the built-in policies
2024-07-02T08:17:21Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-02T08:17:22Z INFO Secret scanning is enabled
2024-07-02T08:17:22Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:17:22Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:17:22Z INFO Number of language-specific files num=0
2024-07-02T08:17:22Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in test/backup-test
2024-07-02T08:17:23Z INFO Vulnerability scanning is enabled
2024-07-02T08:17:23Z INFO Misconfiguration scanning is enabled
2024-07-02T08:17:23Z INFO Secret scanning is enabled
2024-07-02T08:17:23Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:17:23Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:17:24Z INFO Number of language-specific files num=0
2024-07-02T08:17:24Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup test/backup-test

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 0, Failed checks: 2, Skipped checks: 1

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.backup_vault_topic
	File: /main.tf:17-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "backup_vault_topic" {
		18 |   count             = (local.is_production && data.aws_region.current.name == "eu-west-2") ? 1 : 0
		19 |   kms_master_key_id = local.kms_master_key_id
		20 |   name              = var.backup_vault_lock_sns_topic_name
		21 |   tags = merge(var.tags, {
		22 |     Description = "This backup topic is so the MP team can subscribe to backup vault lock being turned off and member accounts can create their own subscriptions"
		23 |   })
		24 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.backup_failure_topic
	File: /main.tf:148-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		148 | resource "aws_sns_topic" "backup_failure_topic" {
		149 |   kms_master_key_id = local.kms_master_key_id
		150 |   name              = var.backup_aws_sns_topic_name
		151 |   tags = merge(var.tags, {
		152 |     Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
		153 |   })
		154 | }


checkov_exitcode=1

*****************************

Running Checkov in test/backup-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 1

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.backup-test.aws_sns_topic.backup_vault_topic
	File: /../../modules/backup/main.tf:17-24
	Calling File: /main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "backup_vault_topic" {
		18 |   count             = (local.is_production && data.aws_region.current.name == "eu-west-2") ? 1 : 0
		19 |   kms_master_key_id = local.kms_master_key_id
		20 |   name              = var.backup_vault_lock_sns_topic_name
		21 |   tags = merge(var.tags, {
		22 |     Description = "This backup topic is so the MP team can subscribe to backup vault lock being turned off and member accounts can create their own subscriptions"
		23 |   })
		24 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.backup-test.aws_sns_topic.backup_failure_topic
	File: /../../modules/backup/main.tf:148-154
	Calling File: /main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		148 | resource "aws_sns_topic" "backup_failure_topic" {
		149 |   kms_master_key_id = local.kms_master_key_id
		150 |   name              = var.backup_aws_sns_topic_name
		151 |   tags = merge(var.tags, {
		152 |     Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
		153 |   })
		154 | }


checkov_exitcode=2

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup test/backup-test

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/backup-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup test/backup-test

*****************************

Running Trivy in modules/backup
2024-07-02T08:17:19Z	INFO	Need to update DB
2024-07-02T08:17:19Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-02T08:17:21Z	INFO	Vulnerability scanning is enabled
2024-07-02T08:17:21Z	INFO	Misconfiguration scanning is enabled
2024-07-02T08:17:21Z	INFO	Need to update the built-in policies
2024-07-02T08:17:21Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-02T08:17:22Z	INFO	Secret scanning is enabled
2024-07-02T08:17:22Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:17:22Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:17:22Z	INFO	Number of language-specific files	num=0
2024-07-02T08:17:22Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in test/backup-test
2024-07-02T08:17:23Z	INFO	Vulnerability scanning is enabled
2024-07-02T08:17:23Z	INFO	Misconfiguration scanning is enabled
2024-07-02T08:17:23Z	INFO	Secret scanning is enabled
2024-07-02T08:17:23Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:17:23Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:17:24Z	INFO	Number of language-specific files	num=0
2024-07-02T08:17:24Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-07-02T08:18:47Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup test/backup-test

Running Trivy in modules/backup
2024-07-02T08:18:36Z INFO Need to update DB
2024-07-02T08:18:36Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-02T08:18:39Z INFO Vulnerability scanning is enabled
2024-07-02T08:18:39Z INFO Misconfiguration scanning is enabled
2024-07-02T08:18:39Z INFO Need to update the built-in policies
2024-07-02T08:18:39Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-02T08:18:39Z INFO Secret scanning is enabled
2024-07-02T08:18:39Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:18:39Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:18:39Z INFO Number of language-specific files num=0
2024-07-02T08:18:39Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in test/backup-test
2024-07-02T08:18:40Z INFO Vulnerability scanning is enabled
2024-07-02T08:18:40Z INFO Misconfiguration scanning is enabled
2024-07-02T08:18:40Z INFO Secret scanning is enabled
2024-07-02T08:18:40Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:18:40Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:18:40Z INFO Number of language-specific files num=0
2024-07-02T08:18:40Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup test/backup-test

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 0, Failed checks: 2, Skipped checks: 1

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.backup_vault_topic
	File: /main.tf:17-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "backup_vault_topic" {
		18 |   count             = (local.is_production && data.aws_region.current.name == "eu-west-2") ? 1 : 0
		19 |   kms_master_key_id = local.kms_master_key_id
		20 |   name              = var.backup_vault_lock_sns_topic_name
		21 |   tags = merge(var.tags, {
		22 |     Description = "This backup topic is so the MP team can subscribe to backup vault lock being turned off and member accounts can create their own subscriptions"
		23 |   })
		24 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.backup_failure_topic
	File: /main.tf:148-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		148 | resource "aws_sns_topic" "backup_failure_topic" {
		149 |   kms_master_key_id = local.kms_master_key_id
		150 |   name              = var.backup_aws_sns_topic_name
		151 |   tags = merge(var.tags, {
		152 |     Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
		153 |   })
		154 | }


checkov_exitcode=1

*****************************

Running Checkov in test/backup-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 1

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.backup-test.aws_sns_topic.backup_vault_topic
	File: /../../modules/backup/main.tf:17-24
	Calling File: /main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "backup_vault_topic" {
		18 |   count             = (local.is_production && data.aws_region.current.name == "eu-west-2") ? 1 : 0
		19 |   kms_master_key_id = local.kms_master_key_id
		20 |   name              = var.backup_vault_lock_sns_topic_name
		21 |   tags = merge(var.tags, {
		22 |     Description = "This backup topic is so the MP team can subscribe to backup vault lock being turned off and member accounts can create their own subscriptions"
		23 |   })
		24 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.backup-test.aws_sns_topic.backup_failure_topic
	File: /../../modules/backup/main.tf:148-154
	Calling File: /main.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		148 | resource "aws_sns_topic" "backup_failure_topic" {
		149 |   kms_master_key_id = local.kms_master_key_id
		150 |   name              = var.backup_aws_sns_topic_name
		151 |   tags = merge(var.tags, {
		152 |     Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
		153 |   })
		154 | }


checkov_exitcode=2

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup test/backup-test

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/backup-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup test/backup-test

*****************************

Running Trivy in modules/backup
2024-07-02T08:18:36Z	INFO	Need to update DB
2024-07-02T08:18:36Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-02T08:18:39Z	INFO	Vulnerability scanning is enabled
2024-07-02T08:18:39Z	INFO	Misconfiguration scanning is enabled
2024-07-02T08:18:39Z	INFO	Need to update the built-in policies
2024-07-02T08:18:39Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-02T08:18:39Z	INFO	Secret scanning is enabled
2024-07-02T08:18:39Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:18:39Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:18:39Z	INFO	Number of language-specific files	num=0
2024-07-02T08:18:39Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in test/backup-test
2024-07-02T08:18:40Z	INFO	Vulnerability scanning is enabled
2024-07-02T08:18:40Z	INFO	Misconfiguration scanning is enabled
2024-07-02T08:18:40Z	INFO	Secret scanning is enabled
2024-07-02T08:18:40Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:18:40Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:18:40Z	INFO	Number of language-specific files	num=0
2024-07-02T08:18:40Z	INFO	Detected config files	num=2
trivy_exitcode=0

github-actions · 2024-07-02T08:28:47Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
modules/backup test/backup-test

Running Trivy in modules/backup
2024-07-02T08:28:35Z INFO Need to update DB
2024-07-02T08:28:35Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-02T08:28:37Z INFO Vulnerability scanning is enabled
2024-07-02T08:28:37Z INFO Misconfiguration scanning is enabled
2024-07-02T08:28:37Z INFO Need to update the built-in policies
2024-07-02T08:28:37Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-02T08:28:37Z INFO Secret scanning is enabled
2024-07-02T08:28:37Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:28:37Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:28:38Z INFO Number of language-specific files num=0
2024-07-02T08:28:38Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in test/backup-test
2024-07-02T08:28:38Z INFO Vulnerability scanning is enabled
2024-07-02T08:28:38Z INFO Misconfiguration scanning is enabled
2024-07-02T08:28:38Z INFO Secret scanning is enabled
2024-07-02T08:28:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:28:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:28:38Z INFO Number of language-specific files num=0
2024-07-02T08:28:38Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/backup test/backup-test

*****************************

Running Checkov in modules/backup
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

*****************************

Running Checkov in test/backup-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 21, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
modules/backup test/backup-test

*****************************

Running tflint in modules/backup
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/backup-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
modules/backup test/backup-test

*****************************

Running Trivy in modules/backup
2024-07-02T08:28:35Z	INFO	Need to update DB
2024-07-02T08:28:35Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-02T08:28:37Z	INFO	Vulnerability scanning is enabled
2024-07-02T08:28:37Z	INFO	Misconfiguration scanning is enabled
2024-07-02T08:28:37Z	INFO	Need to update the built-in policies
2024-07-02T08:28:37Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-02T08:28:37Z	INFO	Secret scanning is enabled
2024-07-02T08:28:37Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:28:37Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:28:38Z	INFO	Number of language-specific files	num=0
2024-07-02T08:28:38Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in test/backup-test
2024-07-02T08:28:38Z	INFO	Vulnerability scanning is enabled
2024-07-02T08:28:38Z	INFO	Misconfiguration scanning is enabled
2024-07-02T08:28:38Z	INFO	Secret scanning is enabled
2024-07-02T08:28:38Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T08:28:38Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-02T08:28:38Z	INFO	Number of language-specific files	num=0
2024-07-02T08:28:38Z	INFO	Detected config files	num=2
trivy_exitcode=0

Hardcoded backup vault locks, as they shouldnt be changed with ease

070090b

ep-93 requested a review from a team as a code owner June 24, 2024 14:26

ASTRobinson closed this Jun 24, 2024

ASTRobinson reopened this Jun 24, 2024

Added an SNS topic, and a cloudwatch event rule for the lock deletion

4405978

ep-93 marked this pull request as draft June 24, 2024 15:32

ep-93 force-pushed the feature/add-vault-lock branch from 0a8c21e to 4405978 Compare June 24, 2024 15:33

Commit changes made by code formatters

2b54612

backup vault lock deletion alerting

4adf2c9

vars added

d1e51b1

Khatraf mentioned this pull request Jun 27, 2024

Creating the backup failure topic only in production and London region ministryofjustice/modernisation-platform#7361

Merged

4 tasks

Edited vars

900c6f0

Added prod filter

665e5c3

ep-93 marked this pull request as ready for review June 27, 2024 13:28

ep-93 closed this Jun 27, 2024

ep-93 reopened this Jun 27, 2024

dms1981 reviewed Jun 27, 2024

View reviewed changes

modules/backup/main.tf Outdated Show resolved Hide resolved

added tests

4799fe4

ep-93 force-pushed the feature/add-vault-lock branch from 4b8ede3 to 4799fe4 Compare June 27, 2024 16:48

ep-93 and others added 3 commits June 27, 2024 17:56

You can have the tests passing, or the code working, never both first…

4acaf7c

… time. My cool filter for production is causing the testing issues, I'll fix it tomorrow

Added data call to correct KMS key

e3af35a

updates to the module test

d684b88

ep-93 and others added 5 commits June 28, 2024 14:42

Need to filter the data call so that it only does the regions teh bac…

73ad841

…kup is in

Filtering working

e46c341

Update main.tf

22f8a0a

Removed unused testing parts

f5507bc

Tidying up

bef7861

ep-93 commented Jul 2, 2024

View reviewed changes

ep-93 and others added 2 commits July 2, 2024 09:14

Merge branch 'main' into feature/add-vault-lock

6dff641

Commit changes made by code formatters

89de23d

ep-93 closed this Jul 2, 2024

ep-93 reopened this Jul 2, 2024

Update go.mod

551d228

ASTRobinson previously approved these changes Jul 2, 2024

View reviewed changes

Added ignores

c31f912

ep-93 dismissed ASTRobinson’s stale review via c31f912 July 2, 2024 08:26

ASTRobinson approved these changes Jul 2, 2024

View reviewed changes

ep-93 merged commit f0d5172 into main Jul 2, 2024
4 checks passed

ep-93 deleted the feature/add-vault-lock branch July 2, 2024 08:35

Khatraf mentioned this pull request Jul 5, 2024

monitoring for backup vault lock changes ministryofjustice/modernisation-platform#7432

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enable AWS Backup Vault lock #495

Enable AWS Backup Vault lock #495

ep-93 commented Jun 24, 2024 •

edited

Loading

github-actions bot commented Jun 24, 2024

github-actions bot commented Jun 24, 2024

github-actions bot commented Jun 24, 2024

github-actions bot commented Jun 26, 2024

github-actions bot commented Jun 26, 2024

github-actions bot commented Jun 27, 2024

github-actions bot commented Jun 27, 2024

github-actions bot commented Jun 27, 2024

ep-93 Jul 2, 2024

github-actions bot commented Jul 2, 2024

github-actions bot commented Jul 2, 2024

github-actions bot commented Jul 2, 2024

github-actions bot commented Jul 2, 2024

Enable AWS Backup Vault lock #495

Enable AWS Backup Vault lock #495

Conversation

ep-93 commented Jun 24, 2024 • edited Loading

github-actions bot commented Jun 24, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jun 24, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jun 24, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jun 26, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jun 26, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jun 27, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jun 27, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jun 27, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

ep-93 Jul 2, 2024

Choose a reason for hiding this comment

github-actions bot commented Jul 2, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jul 2, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jul 2, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jul 2, 2024

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

ep-93 commented Jun 24, 2024 •

edited

Loading

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success