Tests created for module #9

ep-93 · 2023-02-27T17:45:12Z

The code works, and I have it working locally with a plan utilising it in example. I need to merge this so I can refrence it and push a PR to mod-plat-env so it can be built in example via the pipeline rather than me applying anything locally.

The tests do not currently work.

Update.

Tests working, hardcoded subnet ID which needs to change.

…th nomis code.

github-actions · 2023-02-27T17:47:40Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             172.603µs
  parsing              22.955362ms
  adaptation           133.402µs
  checks               8.951981ms
  total                32.213348ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 32, Failed checks: 5, Skipped checks: 3

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: module.module_test.aws_instance.this
	File: /main.tf:5-93
	Calling File: /test/unit-test/main.tf:1-28
	Guide: https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_1-port-security

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_31

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_2

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
github_actions scan results:

Passed checks: 174, Failed checks: 2, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on
	File: /.github/workflows/go-terratest.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

… I hard code it, it impacts the rest of the module, however it's finding no amis, and its getting frustrating.

github-actions · 2023-03-01T16:09:17Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             216.91µs
  parsing              22.010576ms
  adaptation           190.308µs
  checks               13.660544ms
  total                36.078338ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 32, Failed checks: 5, Skipped checks: 3

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: module.module_test.aws_instance.this
	File: /main.tf:5-93
	Calling File: /test/unit-test/main.tf:1-28
	Guide: https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_1-port-security

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_31

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_2

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
github_actions scan results:

Passed checks: 174, Failed checks: 2, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on
	File: /.github/workflows/go-terratest.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
1 issue(s) found:

Warning: local.ami_info is declared but not used (terraform_unused_declarations)

  on github/workspace/locals.tf line 108:
 108:   ami_info = {
 109:     tags = {
 110:       description = "For testing official RedHat RHEL7.9 image"
 111:       monitored   = false
 112:       os-type     = "Linux"
 113:       component   = "test"
 114:     }
 115:     ami_name  = "RHEL-7.9_HVM-*"
 116:     ami_owner = "309956199498"
 117:   }

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_unused_declarations.md

tflint_exitcode=2

github-actions · 2023-03-01T16:32:19Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             174.3µs
  parsing              14.8596ms
  adaptation           112.9µs
  checks               11.783501ms
  total                26.930301ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 32, Failed checks: 5, Skipped checks: 3

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: module.module_test.aws_instance.this
	File: /main.tf:5-93
	Calling File: /test/unit-test/main.tf:1-28
	Guide: https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_1-port-security

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_31

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_2

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
github_actions scan results:

Passed checks: 174, Failed checks: 2, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on
	File: /.github/workflows/go-terratest.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
1 issue(s) found:

Warning: local.ami_info is declared but not used (terraform_unused_declarations)

  on github/workspace/locals.tf line 108:
 108:   ami_info = {
 109:     tags = {
 110:       description = "For testing official RedHat RHEL7.9 image"
 111:       monitored   = false
 112:       os-type     = "Linux"
 113:       component   = "test"
 114:     }
 115:     ami_name  = "RHEL-7.9_HVM-*"
 116:     ami_owner = "309956199498"
 117:   }

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_unused_declarations.md

tflint_exitcode=2

github-actions · 2023-03-03T09:02:11Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             133.901µs
  parsing              19.09793ms
  adaptation           136.601µs
  checks               8.988861ms
  total                28.357293ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 32, Failed checks: 5, Skipped checks: 3

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: module.module_test.aws_instance.this
	File: /main.tf:5-93
	Calling File: /test/unit-test/main.tf:1-28
	Guide: https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_1-port-security

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_31

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_2

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
github_actions scan results:

Passed checks: 174, Failed checks: 2, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on
	File: /.github/workflows/go-terratest.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
1 issue(s) found:

Warning: local.ami_info is declared but not used (terraform_unused_declarations)

  on github/workspace/locals.tf line 108:
 108:   ami_info = {
 109:     tags = {
 110:       description = "For testing official RedHat RHEL7.9 image"
 111:       monitored   = false
 112:       os-type     = "Linux"
 113:       component   = "test"
 114:     }
 115:     ami_name  = "RHEL-7.9_HVM-*"
 116:     ami_owner = "309956199498"
 117:   }

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_unused_declarations.md

tflint_exitcode=2

github-actions · 2023-03-03T09:03:15Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             197.6µs
  parsing              22.217385ms
  adaptation           148.7µs
  checks               9.926294ms
  total                32.489979ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 32, Failed checks: 5, Skipped checks: 3

Check: CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
	FAILED for resource: module.module_test.aws_instance.this
	File: /main.tf:5-93
	Calling File: /test/unit-test/main.tf:1-28
	Guide: https://docs.bridgecrew.io/docs/ensure-that-detailed-monitoring-is-enabled-for-ec2-instances

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_1-port-security

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_31

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_2

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }
github_actions scan results:

Passed checks: 174, Failed checks: 2, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on
	File: /.github/workflows/go-terratest.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
1 issue(s) found:

Warning: local.ami_info is declared but not used (terraform_unused_declarations)

  on github/workspace/locals.tf line 108:
 108:   ami_info = {
 109:     tags = {
 110:       description = "For testing official RedHat RHEL7.9 image"
 111:       monitored   = false
 112:       os-type     = "Linux"
 113:       component   = "test"
 114:     }
 115:     ami_name  = "RHEL-7.9_HVM-*"
 116:     ami_owner = "309956199498"
 117:   }

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_unused_declarations.md

tflint_exitcode=2

github-actions · 2023-03-06T15:23:20Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             203.306µs
  parsing              12.125466ms
  adaptation           126.003µs
  checks               8.691191ms
  total                21.145966ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-03-06 15:23:17,081 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 46, Failed checks: 8, Skipped checks: 3

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /test/unit-test/locals.tf:153-162
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		153 | data "aws_iam_policy_document" "ec2_policy" {
		154 |   statement {
		155 |     sid    = "CustomEc2Policy"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ec2:*"
		159 |     ]
		160 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		161 |   }
		162 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /test/unit-test/locals.tf:153-162
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		153 | data "aws_iam_policy_document" "ec2_policy" {
		154 |   statement {
		155 |     sid    = "CustomEc2Policy"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ec2:*"
		159 |     ]
		160 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		161 |   }
		162 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /test/unit-test/locals.tf:153-162
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure

		153 | data "aws_iam_policy_document" "ec2_policy" {
		154 |   statement {
		155 |     sid    = "CustomEc2Policy"
		156 |     effect = "Allow"
		157 |     actions = [
		158 |       "ec2:*"
		159 |     ]
		160 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		161 |   }
		162 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_1-port-security

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_31

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_2

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
1 issue(s) found:

Warning: local.ami_info is declared but not used (terraform_unused_declarations)

  on github/workspace/locals.tf line 108:
 108:   ami_info = {
 109:     tags = {
 110:       description = "For testing official RedHat RHEL7.9 image"
 111:       monitored   = false
 112:       os-type     = "Linux"
 113:       component   = "test"
 114:     }
 115:     ami_name  = "RHEL-7.9_HVM-*"
 116:     ami_owner = "309956199498"
 117:   }

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_unused_declarations.md

tflint_exitcode=2

test/unit-test/locals.tf

test/unit-test/security-groups.tf

test/unit-test/locals.tf

test/unit-test/secrets.tf

github-actions · 2023-03-07T14:46:00Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             144.197µs
  parsing              19.666503ms
  adaptation           115.499µs
  checks               9.090009ms
  total                29.016208ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-03-07 14:45:56,435 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 46, Failed checks: 8, Skipped checks: 3

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /test/unit-test/data.tf:19-28
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint

		19 | data "aws_iam_policy_document" "ec2_policy" {
		20 |   statement {
		21 |     sid    = "CustomEc2Policy"
		22 |     effect = "Allow"
		23 |     actions = [
		24 |       "ec2:*"
		25 |     ]
		26 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		27 |   }
		28 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /test/unit-test/data.tf:19-28
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		19 | data "aws_iam_policy_document" "ec2_policy" {
		20 |   statement {
		21 |     sid    = "CustomEc2Policy"
		22 |     effect = "Allow"
		23 |     actions = [
		24 |       "ec2:*"
		25 |     ]
		26 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		27 |   }
		28 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /test/unit-test/data.tf:19-28
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure

		19 | data "aws_iam_policy_document" "ec2_policy" {
		20 |   statement {
		21 |     sid    = "CustomEc2Policy"
		22 |     effect = "Allow"
		23 |     actions = [
		24 |       "ec2:*"
		25 |     ]
		26 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		27 |   }
		28 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_1-port-security

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_31

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/networking_2

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.test
	File: /test/unit-test/security-groups.tf:1-24
	Guide: https://docs.bridgecrew.io/docs/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "test" {
		2  |   name        = "Terratest"
		3  |   description = "Test SG for Terratest"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  |   ingress {
		6  |     from_port        = 0
		7  |     to_port          = 6000
		8  |     protocol         = "tcp"
		9  |     cidr_blocks      = ["0.0.0.0/0"]
		10 |     ipv6_cidr_blocks = ["::/0"]
		11 |   }
		12 | 
		13 |   egress {
		14 |     from_port        = 0
		15 |     to_port          = 0
		16 |     protocol         = "-1"
		17 |     cidr_blocks      = ["0.0.0.0/0"]
		18 |     ipv6_cidr_blocks = ["::/0"]
		19 |   }
		20 | 
		21 |   tags = {
		22 |     Name = "test"
		23 |   }
		24 | }

github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
1 issue(s) found:

Warning: local.ami_info is declared but not used (terraform_unused_declarations)

  on github/workspace/locals.tf line 108:
 108:   ami_info = {
 109:     tags = {
 110:       description = "For testing official RedHat RHEL7.9 image"
 111:       monitored   = false
 112:       os-type     = "Linux"
 113:       component   = "test"
 114:     }
 115:     ami_name  = "RHEL-7.9_HVM-*"
 116:     ami_owner = "309956199498"
 117:   }

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_unused_declarations.md

tflint_exitcode=2

github-actions · 2023-03-08T08:00:53Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             181.709µs
  parsing              16.866989ms
  adaptation           194.909µs
  checks               13.258221ms
  total                30.501828ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-03-08 08:00:47,211 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 47, Failed checks: 1, Skipped checks: 9

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.ec2_policy
	File: /test/unit-test/data.tf:19-31
	Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure

		19 | data "aws_iam_policy_document" "ec2_policy" {
		20 |   statement {
		21 |     #checkov:skip=CKV_AWS_109:
		22 |     #checkov:skip=CKV_AWS_111:
		23 | 
		24 |     sid    = "CustomEc2Policy"
		25 |     effect = "Allow"
		26 |     actions = [
		27 |       "ec2:*"
		28 |     ]
		29 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		30 |   }
		31 | }

github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

github-actions · 2023-03-08T08:05:25Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             199.5µs
  parsing              21.172775ms
  adaptation           144.3µs
  checks               10.725188ms
  total                32.241763ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-03-08 08:05:21,133 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 47, Failed checks: 0, Skipped checks: 10

github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

github-actions · 2023-03-08T08:33:30Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             188.909µs
  parsing              13.977427ms
  adaptation           146.905µs
  checks               26.700807ms
  total                41.014048ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-03-08 08:33:25,627 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 47, Failed checks: 0, Skipped checks: 10

github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

github-actions · 2023-03-08T08:39:55Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             196.1µs
  parsing              19.967578ms
  adaptation           578.103µs
  checks               10.640541ms
  total                31.382322ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-03-08 08:39:50,726 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 47, Failed checks: 0, Skipped checks: 10

github_actions scan results:

Passed checks: 175, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

github-actions · 2023-03-08T10:29:47Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018
  timings
  ──────────────────────────────────────────
  disk i/o             153.8µs
  parsing              11.563909ms
  adaptation           145.998µs
  checks               8.378434ms
  total                20.242141ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     48
  files read           6

  results
  ──────────────────────────────────────────
  passed               4
  ignored              1
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2023-03-08 10:29:43,054 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 47, Failed checks: 0, Skipped checks: 10

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Created tests, but struggling getting a basic ec2 instance working wi…

215279c

…th nomis code.

ep-93 requested a review from a team as a code owner February 27, 2023 17:45

ep-93 marked this pull request as draft February 27, 2023 17:45

Commit changes made by code formatters

69e8057

ep-93 added 2 commits February 28, 2023 17:27

Still failing.

2144c03

Tests added, not building via terraform because of data.tf line 3, if…

b6fcfa0

… I hard code it, it impacts the rest of the module, however it's finding no amis, and its getting frustrating.

ep-93 force-pushed the feature/adding-tests branch from 8d3bc2a to b6fcfa0 Compare March 1, 2023 16:06

terraform-docs: automated action

bdefe16

ep-93 and others added 2 commits March 1, 2023 16:29

Removed production value

ceafff1

Commit changes made by code formatters

2d7c801

ep-93 and others added 4 commits March 3, 2023 08:59

Delete .terraform.lock.hcl

b9e8a25

Changed version to work with that in mod-platform-env

7eec3ca

Changed version to work with that in mod-platform-env

42bf330

terraform-docs: automated action

0391d04

ep-93 changed the title ~~Created tests, but struggling getting a basic ec2 instance working wi…~~ Working Module, tests WIP. Mar 3, 2023

ep-93 marked this pull request as ready for review March 3, 2023 09:03

ep-93 and others added 3 commits March 6, 2023 15:12

Created tests, hard coded one part I need to change, all pass.

abf968a

Removed unused changes to variables.

4624648

Merge branch 'main' into feature/adding-tests

9e03f6e

ep-93 changed the title ~~Working Module, tests WIP.~~ Test created for module. - Hardcoded subnet Mar 6, 2023

github-actions bot added 2 commits March 6, 2023 15:21

terraform-docs: automated action

66c7130

Commit changes made by code formatters

6ba2955

ewastempel reviewed Mar 6, 2023

View reviewed changes

test/unit-test/locals.tf Outdated Show resolved Hide resolved

davidkelliott reviewed Mar 6, 2023

View reviewed changes

test/unit-test/security-groups.tf Show resolved Hide resolved

ewastempel reviewed Mar 6, 2023

View reviewed changes

test/unit-test/locals.tf Outdated Show resolved Hide resolved

ewastempel reviewed Mar 6, 2023

View reviewed changes

test/unit-test/locals.tf Outdated Show resolved Hide resolved

ewastempel reviewed Mar 6, 2023

View reviewed changes

test/unit-test/secrets.tf Outdated Show resolved Hide resolved

ep-93 and others added 2 commits March 7, 2023 14:43

Edited on feedback, changed the hardcoded subnet.

e2cdb06

Commit changes made by code formatters

b4e0829

davidkelliott previously approved these changes Mar 7, 2023

View reviewed changes

Fixing checkov.

b2988c8

ep-93 dismissed davidkelliott’s stale review via b2988c8 March 8, 2023 07:57

Commit changes made by code formatters

aed393f

ep-93 changed the title ~~Test created for module. - Hardcoded subnet~~ Tests created for module Mar 8, 2023

Missed one ignore

5ecc835

Changed var names so tests will pass, no duplicates.

f5cd298

Changed var names so tests will pass, no duplicates.

32fea90

Update documentation.yml

2362805

dms1981 approved these changes Mar 8, 2023

View reviewed changes

ep-93 merged commit 1d143a5 into main Mar 8, 2023

ep-93 deleted the feature/adding-tests branch March 8, 2023 11:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tests created for module #9

Tests created for module #9

ep-93 commented Feb 27, 2023 •

edited

Loading

github-actions bot commented Feb 27, 2023

github-actions bot commented Mar 1, 2023

github-actions bot commented Mar 1, 2023

github-actions bot commented Mar 3, 2023

github-actions bot commented Mar 3, 2023

github-actions bot commented Mar 6, 2023

github-actions bot commented Mar 7, 2023

github-actions bot commented Mar 8, 2023

github-actions bot commented Mar 8, 2023

github-actions bot commented Mar 8, 2023

github-actions bot commented Mar 8, 2023

github-actions bot commented Mar 8, 2023

Tests created for module #9

Tests created for module #9

Conversation

ep-93 commented Feb 27, 2023 • edited Loading

github-actions bot commented Feb 27, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Success

github-actions bot commented Mar 1, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Mar 1, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Mar 3, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Mar 3, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Mar 6, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Mar 7, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Mar 8, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Success

github-actions bot commented Mar 8, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Success

github-actions bot commented Mar 8, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Success

github-actions bot commented Mar 8, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Success

github-actions bot commented Mar 8, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

ep-93 commented Feb 27, 2023 •

edited

Loading

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success