DRAFT - Allow creation of Wafv2 ACL resources through CloudFormation

[mikereiddigital]

Note - this is pending advice from AWS on issues arising from this proposed change.

Amends aws_iam_policy_document "member-access" and adds permissions that allow only the creation of wafv2:acl resources via an aws_cloudformation_stack. Note that the permissions are limited only to stack-level operations and does not include those actions for stacksets or the creation/exec of changesets.

A reference to the issue / Description of it

See issue 6991 - #6991

How does this PR fix the problem?

This change has been requested by the LAA Ops team due to limitations with terraform implementing wafv2:acl rules nested beyond 3 levels. The identified solution is to create the acl via an aws_cloudformation_stack resources. The added statement has been written to only allow the creation of resources of type AWS:WAFv2:ACL via cloudformation so as to avoid the potential for this approach to be used more generally.

How has this been tested?

Please describe the tests that you ran and provide instructions to reproduce.

This change will be tested in sprinkler first where I will attempt to create both a wafv2:acl and other types of resource. If the tests are successful, the acl will be created via a cloudformation stack but not others.

Deployment Plan / Instructions

Will this deployment impact the platform and / or services on it?

As this is a supplemental change it should not adversely impact existing resources.

Checklist (check x in [ ] of list items)

• I have performed a self-review of my own code
• All checks have passed
• I have made corresponding changes to the documentation
• Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

{Please write here}

[github-actions]

Please check the plan carefully before deploying these changes.

⚠️ Making changes to the terraform/environments/bootstrap/member-bootstrap/iam.tf file will alter the IAM permissions for all members on the MP platform. In particular the member-access policy which defines the permissions members have for building IaC in their environments or the github OIDC role that defines the permissions for their application CI/CD pipelines. Please ensure that any permissions changes have been agreed with the wider team.

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-04T13:04:36Z INFO Need to update DB
2024-06-04T13:04:36Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-04T13:04:38Z INFO Vulnerability scanning is enabled
2024-06-04T13:04:38Z INFO Misconfiguration scanning is enabled
2024-06-04T13:04:38Z INFO Need to update the built-in policies
2024-06-04T13:04:38Z INFO Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-04T13:04:38Z INFO Secret scanning is enabled
2024-06-04T13:04:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-04T13:04:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-04T13:04:42Z INFO Number of language-specific files num=0
2024-06-04T13:04:42Z INFO Detected config files num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 174 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 174)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-04 13:04:44,995 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-06-04 13:04:44,995 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-06-04 13:04:44,995 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-06-04 13:04:44,995 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-06-04 13:04:44,995 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-06-04 13:04:44,995 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 0, Skipped checks: 51


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-04T13:04:36Z	INFO	Need to update DB
2024-06-04T13:04:36Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-04T13:04:38Z	INFO	Vulnerability scanning is enabled
2024-06-04T13:04:38Z	INFO	Misconfiguration scanning is enabled
2024-06-04T13:04:38Z	INFO	Need to update the built-in policies
2024-06-04T13:04:38Z	INFO	Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-04T13:04:38Z	INFO	Secret scanning is enabled
2024-06-04T13:04:38Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-04T13:04:38Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-04T13:04:42Z	INFO	Number of language-specific files	num=0
2024-06-04T13:04:42Z	INFO	Detected config files	num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 174 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 174)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

[mikereiddigital]

Change applied to sprinkler for testing.

[github-actions]

Please check the plan carefully before deploying these changes.

⚠️ Making changes to the terraform/environments/bootstrap/member-bootstrap/iam.tf file will alter the IAM permissions for all members on the MP platform. In particular the member-access policy which defines the permissions members have for building IaC in their environments or the github OIDC role that defines the permissions for their application CI/CD pipelines. Please ensure that any permissions changes have been agreed with the wider team.

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-04T15:03:09Z INFO Need to update DB
2024-06-04T15:03:09Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-04T15:03:11Z INFO Vulnerability scanning is enabled
2024-06-04T15:03:11Z INFO Misconfiguration scanning is enabled
2024-06-04T15:03:11Z INFO Need to update the built-in policies
2024-06-04T15:03:11Z INFO Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-04T15:03:12Z INFO Secret scanning is enabled
2024-06-04T15:03:12Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-04T15:03:12Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-04T15:03:15Z INFO Number of language-specific files num=0
2024-06-04T15:03:15Z INFO Detected config files num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 174 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 174)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-04 15:03:18,015 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-06-04 15:03:18,015 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-06-04 15:03:18,015 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-06-04 15:03:18,015 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-06-04 15:03:18,015 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-06-04 15:03:18,015 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 0, Skipped checks: 51


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-04T15:03:09Z	INFO	Need to update DB
2024-06-04T15:03:09Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-04T15:03:11Z	INFO	Vulnerability scanning is enabled
2024-06-04T15:03:11Z	INFO	Misconfiguration scanning is enabled
2024-06-04T15:03:11Z	INFO	Need to update the built-in policies
2024-06-04T15:03:11Z	INFO	Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-04T15:03:12Z	INFO	Secret scanning is enabled
2024-06-04T15:03:12Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-04T15:03:12Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-04T15:03:15Z	INFO	Number of language-specific files	num=0
2024-06-04T15:03:15Z	INFO	Detected config files	num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 174 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 174)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

[github-actions]

Please check the plan carefully before deploying these changes.

⚠️ Making changes to the terraform/environments/bootstrap/member-bootstrap/iam.tf file will alter the IAM permissions for all members on the MP platform. In particular the member-access policy which defines the permissions members have for building IaC in their environments or the github OIDC role that defines the permissions for their application CI/CD pipelines. Please ensure that any permissions changes have been agreed with the wider team.

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-05T07:48:17Z INFO Need to update DB
2024-06-05T07:48:17Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-05T07:48:19Z INFO Vulnerability scanning is enabled
2024-06-05T07:48:19Z INFO Misconfiguration scanning is enabled
2024-06-05T07:48:19Z INFO Need to update the built-in policies
2024-06-05T07:48:19Z INFO Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-05T07:48:19Z INFO Secret scanning is enabled
2024-06-05T07:48:19Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-05T07:48:19Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-05T07:48:23Z INFO Number of language-specific files num=0
2024-06-05T07:48:23Z INFO Detected config files num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 175 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 175)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-05 07:48:25,733 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-06-05 07:48:25,733 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-06-05 07:48:25,733 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-06-05 07:48:25,733 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-06-05 07:48:25,733 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-06-05 07:48:25,733 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 0, Skipped checks: 51


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-05T07:48:17Z	INFO	Need to update DB
2024-06-05T07:48:17Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-05T07:48:19Z	INFO	Vulnerability scanning is enabled
2024-06-05T07:48:19Z	INFO	Misconfiguration scanning is enabled
2024-06-05T07:48:19Z	INFO	Need to update the built-in policies
2024-06-05T07:48:19Z	INFO	Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-05T07:48:19Z	INFO	Secret scanning is enabled
2024-06-05T07:48:19Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-05T07:48:19Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-05T07:48:23Z	INFO	Number of language-specific files	num=0
2024-06-05T07:48:23Z	INFO	Detected config files	num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 175 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 175)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

[github-actions]

Please check the plan carefully before deploying these changes.

⚠️ Making changes to the terraform/environments/bootstrap/member-bootstrap/iam.tf file will alter the IAM permissions for all members on the MP platform. In particular the member-access policy which defines the permissions members have for building IaC in their environments or the github OIDC role that defines the permissions for their application CI/CD pipelines. Please ensure that any permissions changes have been agreed with the wider team.

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-05T08:43:19Z INFO Need to update DB
2024-06-05T08:43:19Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-05T08:43:21Z INFO Vulnerability scanning is enabled
2024-06-05T08:43:21Z INFO Misconfiguration scanning is enabled
2024-06-05T08:43:21Z INFO Need to update the built-in policies
2024-06-05T08:43:21Z INFO Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-05T08:43:21Z INFO Secret scanning is enabled
2024-06-05T08:43:21Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-05T08:43:21Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-05T08:43:25Z INFO Number of language-specific files num=0
2024-06-05T08:43:25Z INFO Detected config files num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 175 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 175)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-05 08:43:27,908 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-06-05 08:43:27,908 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-06-05 08:43:27,908 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-06-05 08:43:27,909 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-06-05 08:43:27,909 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-06-05 08:43:27,909 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 0, Skipped checks: 51


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-05T08:43:19Z	INFO	Need to update DB
2024-06-05T08:43:19Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-05T08:43:21Z	INFO	Vulnerability scanning is enabled
2024-06-05T08:43:21Z	INFO	Misconfiguration scanning is enabled
2024-06-05T08:43:21Z	INFO	Need to update the built-in policies
2024-06-05T08:43:21Z	INFO	Downloading the built-in policies...
49.76 KiB / 49.76 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-05T08:43:21Z	INFO	Secret scanning is enabled
2024-06-05T08:43:21Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-05T08:43:21Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-05T08:43:25Z	INFO	Number of language-specific files	num=0
2024-06-05T08:43:25Z	INFO	Detected config files	num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 175 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 175)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-11T13:09:49Z INFO Need to update DB
2024-06-11T13:09:49Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-11T13:09:51Z INFO Vulnerability scanning is enabled
2024-06-11T13:09:51Z INFO Misconfiguration scanning is enabled
2024-06-11T13:09:51Z INFO Need to update the built-in policies
2024-06-11T13:09:51Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-11T13:09:52Z INFO Secret scanning is enabled
2024-06-11T13:09:52Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T13:09:52Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T13:09:58Z INFO Number of language-specific files num=0
2024-06-11T13:09:58Z INFO Detected config files num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 182 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 182)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-11 13:10:01,655 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:10:01,655 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648" #v3.0.0:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:10:01,655 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:10:01,655 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:10:01,655 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:10:01,656 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:10:01,656 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 0, Skipped checks: 51


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-11T13:09:49Z	INFO	Need to update DB
2024-06-11T13:09:49Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-11T13:09:51Z	INFO	Vulnerability scanning is enabled
2024-06-11T13:09:51Z	INFO	Misconfiguration scanning is enabled
2024-06-11T13:09:51Z	INFO	Need to update the built-in policies
2024-06-11T13:09:51Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-11T13:09:52Z	INFO	Secret scanning is enabled
2024-06-11T13:09:52Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T13:09:52Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T13:09:58Z	INFO	Number of language-specific files	num=0
2024-06-11T13:09:58Z	INFO	Detected config files	num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 182 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 182)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

[github-actions]

Please check the plan carefully before deploying these changes.

⚠️ Making changes to the terraform/environments/bootstrap/member-bootstrap/iam.tf file will alter the IAM permissions for all members on the MP platform. In particular the member-access policy which defines the permissions members have for building IaC in their environments or the github OIDC role that defines the permissions for their application CI/CD pipelines. Please ensure that any permissions changes have been agreed with the wider team.

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-11T13:21:04Z INFO Need to update DB
2024-06-11T13:21:04Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-11T13:21:07Z INFO Vulnerability scanning is enabled
2024-06-11T13:21:07Z INFO Misconfiguration scanning is enabled
2024-06-11T13:21:07Z INFO Need to update the built-in policies
2024-06-11T13:21:07Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-11T13:21:07Z INFO Secret scanning is enabled
2024-06-11T13:21:07Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T13:21:07Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T13:21:13Z INFO Number of language-specific files num=0
2024-06-11T13:21:13Z INFO Detected config files num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 183 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 183)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-11 13:21:15,900 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:21:15,900 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648" #v3.0.0:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:21:15,900 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:21:15,901 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:21:15,901 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:21:15,901 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:21:15,901 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 0, Skipped checks: 51


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-11T13:21:04Z	INFO	Need to update DB
2024-06-11T13:21:04Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-11T13:21:07Z	INFO	Vulnerability scanning is enabled
2024-06-11T13:21:07Z	INFO	Misconfiguration scanning is enabled
2024-06-11T13:21:07Z	INFO	Need to update the built-in policies
2024-06-11T13:21:07Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-11T13:21:07Z	INFO	Secret scanning is enabled
2024-06-11T13:21:07Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T13:21:07Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T13:21:13Z	INFO	Number of language-specific files	num=0
2024-06-11T13:21:13Z	INFO	Detected config files	num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 183 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 183)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

[github-actions]

Please check the plan carefully before deploying these changes.

⚠️ Making changes to the terraform/environments/bootstrap/member-bootstrap/iam.tf file will alter the IAM permissions for all members on the MP platform. In particular the member-access policy which defines the permissions members have for building IaC in their environments or the github OIDC role that defines the permissions for their application CI/CD pipelines. Please ensure that any permissions changes have been agreed with the wider team.

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-11T13:28:50Z INFO Need to update DB
2024-06-11T13:28:50Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-11T13:28:52Z INFO Vulnerability scanning is enabled
2024-06-11T13:28:52Z INFO Misconfiguration scanning is enabled
2024-06-11T13:28:52Z INFO Need to update the built-in policies
2024-06-11T13:28:52Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-11T13:28:52Z INFO Secret scanning is enabled
2024-06-11T13:28:52Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T13:28:52Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T13:28:57Z INFO Number of language-specific files num=0
2024-06-11T13:28:57Z INFO Detected config files num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 183 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 183)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-11 13:28:59,736 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:28:59,736 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648" #v3.0.0:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:28:59,736 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:28:59,736 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:28:59,736 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:28:59,736 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:28:59,737 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 0, Skipped checks: 51


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-11T13:28:50Z	INFO	Need to update DB
2024-06-11T13:28:50Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-11T13:28:52Z	INFO	Vulnerability scanning is enabled
2024-06-11T13:28:52Z	INFO	Misconfiguration scanning is enabled
2024-06-11T13:28:52Z	INFO	Need to update the built-in policies
2024-06-11T13:28:52Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-11T13:28:52Z	INFO	Secret scanning is enabled
2024-06-11T13:28:52Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T13:28:52Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T13:28:57Z	INFO	Number of language-specific files	num=0
2024-06-11T13:28:57Z	INFO	Detected config files	num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 183 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 183)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

[github-actions]

Please check the plan carefully before deploying these changes.

⚠️ Making changes to the terraform/environments/bootstrap/member-bootstrap/iam.tf file will alter the IAM permissions for all members on the MP platform. In particular the member-access policy which defines the permissions members have for building IaC in their environments or the github OIDC role that defines the permissions for their application CI/CD pipelines. Please ensure that any permissions changes have been agreed with the wider team.

[github-actions]

Trivy Scan Success

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

---

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-11T13:42:37Z INFO Need to update DB
2024-06-11T13:42:37Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-11T13:42:38Z INFO Vulnerability scanning is enabled
2024-06-11T13:42:38Z INFO Misconfiguration scanning is enabled
2024-06-11T13:42:38Z INFO Need to update the built-in policies
2024-06-11T13:42:38Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-11T13:42:39Z INFO Secret scanning is enabled
2024-06-11T13:42:39Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T13:42:39Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T13:42:42Z INFO Number of language-specific files num=0
2024-06-11T13:42:42Z INFO Detected config files num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 183 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 183)
Failures: 0 (HIGH: 0, CRITICAL: 0)

instance-scheduler.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

ssm.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-11 13:42:44,904 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:42:44,904 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648" #v3.0.0:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:42:44,904 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:42:44,904 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:42:44,905 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:42:44,905 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2024-06-11 13:42:44,905 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 0, Skipped checks: 51


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2024-06-11T13:42:37Z	INFO	Need to update DB
2024-06-11T13:42:37Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-11T13:42:38Z	INFO	Vulnerability scanning is enabled
2024-06-11T13:42:38Z	INFO	Misconfiguration scanning is enabled
2024-06-11T13:42:38Z	INFO	Need to update the built-in policies
2024-06-11T13:42:38Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-11T13:42:39Z	INFO	Secret scanning is enabled
2024-06-11T13:42:39Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T13:42:39Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T13:42:42Z	INFO	Number of language-specific files	num=0
2024-06-11T13:42:42Z	INFO	Detected config files	num=5

github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=c3bde7c787038ff5536bfb1b73781072edbb74da/main.tf (terraform)
=====================================================================================================================================
Tests: 3 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 3)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 183 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 183)
Failures: 0 (HIGH: 0, CRITICAL: 0)


instance-scheduler.tf (terraform)
=================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


ssm.tf (terraform)
==================
Tests: 8 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 8)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

[mikereiddigital]

New solution offered by AWS so testing that first before any new PR.