health_check_script_update_20230814 #3080

nbuckingham72 · 2023-08-14T11:10:14Z

No description provided.

github-actions · 2023-08-14T11:12:54Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-iaps

*****************************

Running TFSEC in terraform/environments/delius-iaps
Excluding the following checks: AWS095

Result #1 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  cloudwatch-alarms.tf:2-4
────────────────────────────────────────────────────────────────────────────────
    2    resource "aws_sns_topic" "iaps_alerting" {
    3      name = "${local.application_name}-alerting"
    4    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #2 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:159
────────────────────────────────────────────────────────────────────────────────
  159      deletion_protection      = local.is-production ? true : false
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #3 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:40
────────────────────────────────────────────────────────────────────────────────
   40      deletion_protection      = local.is-production ? true : false
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #4 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ad.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   47    resource "aws_cloudwatch_log_group" "active_directory" {
   48      name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
   49      retention_in_days = 14
   50    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Results #5-12 LOW Log group is not encrypted. (8 similar results)
────────────────────────────────────────────────────────────────────────────────
  ec2-iaps-server.tf:273-282
────────────────────────────────────────────────────────────────────────────────
  273    resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
  274      for_each          = toset(local.cloudwatch_agent_log_group_names)
  275      name              = "/iaps/${each.key}"
  276      retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
  277      tags = merge(
  278        local.ec2_tags,
  279        {
  280          "Name" = "iaps/${each.key}"
  281      })
  282    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/xmltransfer.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["system-events"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["access.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["amazon-cloudwatch-agent.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["application-events"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["error.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["iminterface/imiapsif.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/daysummary.log"])
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             676.8µs
  parsing              1.165317964s
  adaptation           573.4µs
  checks               23.472428ms
  total                1.190040592s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     175
  files read           29

  results
  ──────────────────────────────────────────
  passed               44
  ignored              4
  critical             0
  high                 1
  medium               2
  low                  9

  44 passed, 4 ignored, 12 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-iaps

*****************************

Running Checkov in terraform/environments/delius-iaps
2023-08-14 11:12:51,453 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2023-08-14 11:12:51,453 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-08-14 11:12:51,453 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 190, Failed checks: 44, Skipped checks: 11

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /ad.tf:47-50

		47 | resource "aws_cloudwatch_log_group" "active_directory" {
		48 |   name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
		49 |   retention_in_days = 14
		50 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /ad.tf:47-50
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		47 | resource "aws_cloudwatch_log_group" "active_directory" {
		48 |   name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
		49 |   retention_in_days = 14
		50 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.iaps_alerting
	File: /cloudwatch-alarms.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html

		2 | resource "aws_sns_topic" "iaps_alerting" {
		3 |   name = "${local.application_name}-alerting"
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch-alarms.tf:180-187

		180 | module "pagerduty_core_alerts" {
		181 |   depends_on = [
		182 |     aws_sns_topic.iaps_alerting
		183 |   ]
		184 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		185 |   sns_topics                = [aws_sns_topic.iaps_alerting.name]
		186 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.integration_key_lookup]
		187 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["amazon-cloudwatch-agent.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["application-events"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["error.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/daysummary.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["iminterface/imiapsif.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["system-events"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["access.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/xmltransfer.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_iaps_server
	File: /ec2-iaps-server.tf:241-268

		241 | module "ec2_iaps_server" {
		242 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.0.0"
		243 | 
		244 |   providers = {
		245 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		246 |   }
		247 | 
		248 |   name                          = local.application_data.ec2_iaps_instance_label
		249 |   ami_name                      = local.iaps_server.ami_name
		250 |   ami_owner                     = local.application_data.ec2_iaps_instance_ami_owner
		251 |   instance                      = local.iaps_server.instance
		252 |   user_data_raw                 = local.iaps_server.user_data_raw
		253 |   ebs_volumes_copy_all_from_ami = local.iaps_server.ebs_volumes_copy_all_from_ami
		254 |   ebs_volume_config             = {}
		255 |   ebs_volumes                   = local.iaps_server.ebs_volumes
		256 |   ssm_parameters                = null
		257 |   autoscaling_group             = local.iaps_server.autoscaling_group
		258 |   autoscaling_schedules         = {}
		259 | 
		260 |   instance_profile_policies = local.iaps_server.iam_policies
		261 |   application_name          = local.application_name
		262 |   region                    = data.aws_region.current.name
		263 |   subnet_ids                = data.aws_subnets.shared-private.ids
		264 |   tags                      = local.ec2_tags
		265 |   account_ids_lookup        = local.environment_management.account_ids
		266 | 
		267 |   depends_on = [aws_kms_grant.image-builder-shared-hmpps-ebs-cmk-grant]
		268 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ssm_least_privilege_policy
	File: /ec2-iaps-server.tf:186-223

		186 | data "aws_iam_policy_document" "ssm_least_privilege_policy" {
		187 |   statement {
		188 |     sid    = "CustomSsmPolicy"
		189 |     effect = "Allow"
		190 |     actions = [
		191 |       "ssm:DescribeAssociation",
		192 |       "ssm:DescribeDocument",
		193 |       "ssm:GetDeployablePatchSnapshotForInstance",
		194 |       "ssm:GetDocument",
		195 |       "ssm:GetManifest",
		196 |       "ssm:GetParameter",
		197 |       "ssm:GetParameters",
		198 |       "ssm:ListAssociations",
		199 |       "ssm:ListInstanceAssociations",
		200 |       "ssm:PutInventory",
		201 |       "ssm:PutComplianceItems",
		202 |       "ssm:PutConfigurePackageResult",
		203 |       "ssm:UpdateAssociationStatus",
		204 |       "ssm:UpdateInstanceAssociationStatus",
		205 |       "ssm:UpdateInstanceInformation",
		206 |       "ssmmessages:CreateControlChannel",
		207 |       "ssmmessages:CreateDataChannel",
		208 |       "ssmmessages:OpenControlChannel",
		209 |       "ssmmessages:OpenDataChannel",
		210 |       "ec2messages:AcknowledgeMessage",
		211 |       "ec2messages:DeleteMessage",
		212 |       "ec2messages:FailMessage",
		213 |       "ec2messages:GetEndpoint",
		214 |       "ec2messages:GetMessages",
		215 |       "ec2messages:SendReply"
		216 |     ]
		217 |     # skipping these as policy is a scoped down version of Amazon provided AmazonSSMManagedInstanceCore managed policy.  Permissions required for SSM function
		218 | 
		219 |     #checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
		220 |     #checkov:skip=CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
		221 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		222 |   }
		223 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ci_secrets_rotator
	File: /iam.tf:39-64
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		39 | data "aws_iam_policy_document" "ci_secrets_rotator" {
		40 |   statement {
		41 |     sid    = "RotateSecrets"
		42 |     effect = "Allow"
		43 |     actions = [
		44 |       "secretsmanager:RotateSecret",
		45 |       "secretsmanager:DescribeSecret",
		46 |       "secretsmanager:PutSecretValue",
		47 |       "secretsmanager:UpdateSecretVersionStage",
		48 |     ]
		49 |     resources = [
		50 |       local.iaps_ds_admin_secret_arn
		51 |     ]
		52 |   }
		53 |   statement {
		54 |     sid    = "ResetDSUserPassword"
		55 |     effect = "Allow"
		56 |     actions = [
		57 |       "ds:ResetUserPassword",
		58 |       "ds:DescribeDirectories"
		59 |     ]
		60 |     resources = [
		61 |       "*"
		62 |     ]
		63 |   }
		64 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ci_secrets_rotator
	File: /iam.tf:39-64

		39 | data "aws_iam_policy_document" "ci_secrets_rotator" {
		40 |   statement {
		41 |     sid    = "RotateSecrets"
		42 |     effect = "Allow"
		43 |     actions = [
		44 |       "secretsmanager:RotateSecret",
		45 |       "secretsmanager:DescribeSecret",
		46 |       "secretsmanager:PutSecretValue",
		47 |       "secretsmanager:UpdateSecretVersionStage",
		48 |     ]
		49 |     resources = [
		50 |       local.iaps_ds_admin_secret_arn
		51 |     ]
		52 |   }
		53 |   statement {
		54 |     sid    = "ResetDSUserPassword"
		55 |     effect = "Allow"
		56 |     actions = [
		57 |       "ds:ResetUserPassword",
		58 |       "ds:DescribeDirectories"
		59 |     ]
		60 |     resources = [
		61 |       "*"
		62 |     ]
		63 |   }
		64 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.iaps
	File: /rds.tf:1-46

		1  | resource "aws_db_instance" "iaps" {
		2  |   engine         = "oracle-ee"
		3  |   engine_version = "19"
		4  |   license_model  = "bring-your-own-license"
		5  |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		6  |   db_name        = "IAPS"
		7  |   identifier     = "iaps"
		8  | 
		9  |   username                    = local.application_data.accounts[local.environment].db_user
		10 |   manage_master_user_password = true
		11 |   snapshot_identifier         = length(data.aws_ssm_parameter.iaps_snapshot_data_refresh_id.value) > 0 ? data.aws_ssm_parameter.iaps_snapshot_data_refresh_id.value : null
		12 |   db_subnet_group_name        = aws_db_subnet_group.iaps.id
		13 |   vpc_security_group_ids      = [aws_security_group.iaps_db.id]
		14 | 
		15 |   # tflint-ignore: aws_db_instance_default_parameter_group
		16 |   parameter_group_name        = "default.oracle-ee-19"
		17 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		18 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		19 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		20 |   apply_immediately           = local.application_data.accounts[local.environment].db_apply_immediately
		21 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		22 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		23 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		24 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		25 |   backup_retention_period     = local.application_data.accounts[local.environment].db_backup_retention_period
		26 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		27 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		28 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		29 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		30 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		31 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		32 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		33 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		34 |   kms_key_id                      = data.aws_kms_key.rds_shared.arn
		35 |   storage_encrypted               = true
		36 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		37 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		38 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		39 | 
		40 |   deletion_protection      = local.is-production ? true : false
		41 |   delete_automated_backups = false
		42 | 
		43 |   tags = merge(local.tags,
		44 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		45 |   )
		46 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_snapshot_data_refresh_id
	File: /rds.tf:48-61

		48 | resource "aws_ssm_parameter" "iaps_snapshot_data_refresh_id" {
		49 |   name        = "/iaps/snapshot_id"
		50 |   description = "The ID of the RDS snapshot used for the IAPS database data refresh"
		51 |   type        = "String"
		52 |   value       = try(local.application_data.accounts[local.environment].db_snapshot_identifier, "")
		53 | 
		54 |   tags = {
		55 |     environment = "production"
		56 |   }
		57 | 
		58 |   lifecycle {
		59 |     ignore_changes = [value]
		60 |   }
		61 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.allow_db_in
	File: /rds.tf:82-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		82 | resource "aws_vpc_security_group_ingress_rule" "allow_db_in" {
		83 |   security_group_id = aws_security_group.iaps_db.id
		84 | 
		85 |   referenced_security_group_id = aws_security_group.iaps.id
		86 |   ip_protocol                  = "tcp"
		87 |   from_port                    = 1521
		88 |   to_port                      = 1521
		89 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.iaps_test
	File: /rds.tf:120-165

		120 | resource "aws_db_instance" "iaps_test" {
		121 |   engine         = "oracle-ee"
		122 |   engine_version = "19"
		123 |   license_model  = "bring-your-own-license"
		124 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		125 |   db_name        = "IAPS"
		126 |   identifier     = "iaps-test"
		127 | 
		128 |   username                    = local.application_data.accounts[local.environment].db_user
		129 |   manage_master_user_password = true
		130 |   snapshot_identifier         = length(data.aws_ssm_parameter.iaps_snapshot_data_refresh_id_test.value) > 0 ? data.aws_ssm_parameter.iaps_snapshot_data_refresh_id_test.value : null
		131 |   db_subnet_group_name        = aws_db_subnet_group.iaps.id
		132 |   vpc_security_group_ids      = [aws_security_group.iaps_db.id]
		133 | 
		134 |   # tflint-ignore: aws_db_instance_default_parameter_group
		135 |   parameter_group_name        = "default.oracle-ee-19"
		136 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		137 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		138 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		139 |   apply_immediately           = local.application_data.accounts[local.environment].db_apply_immediately
		140 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		141 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		142 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		143 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		144 |   backup_retention_period     = local.application_data.accounts[local.environment].db_backup_retention_period
		145 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		146 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		147 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		148 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		149 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		150 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		151 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		152 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		153 |   kms_key_id                      = data.aws_kms_key.rds_shared.arn
		154 |   storage_encrypted               = true
		155 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		156 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		157 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		158 | 
		159 |   deletion_protection      = local.is-production ? true : false
		160 |   delete_automated_backups = false
		161 | 
		162 |   tags = merge(local.tags,
		163 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		164 |   )
		165 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_snapshot_data_refresh_id_test
	File: /rds.tf:167-180

		167 | resource "aws_ssm_parameter" "iaps_snapshot_data_refresh_id_test" {
		168 |   name        = "/iaps/snapshot_id_test"
		169 |   description = "The ID of the RDS snapshot used for the IAPS database data refresh"
		170 |   type        = "SecureString"
		171 |   value       = try(local.application_data.accounts[local.environment].db_snapshot_identifier, "")
		172 | 
		173 |   tags = {
		174 |     environment = "production"
		175 |   }
		176 | 
		177 |   lifecycle {
		178 |     ignore_changes = [value]
		179 |   }
		180 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-log-archive-bucket
	File: /s3.tf:3-53

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-user
	File: /ssm.tf:2-13

		2  | resource "aws_ssm_parameter" "im-interface-oracle-user" {
		3  |   name      = "/IMInterface/IAPSOracle/user"
		4  |   type      = "String"
		5  |   value     = "dev-placeholder-iapsoracle-user"
		6  |   overwrite = true
		7  | 
		8  |   lifecycle {
		9  |     ignore_changes = [
		10 |       value
		11 |     ]
		12 |   }
		13 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-password
	File: /ssm.tf:15-26

		15 | resource "aws_ssm_parameter" "im-interface-oracle-password" {
		16 |   name      = "/IMInterface/IAPSOracle/password"
		17 |   type      = "SecureString"
		18 |   value     = "dev-placeholder-iapsoracle-password"
		19 |   overwrite = true
		20 | 
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-dsn
	File: /ssm.tf:28-39

		28 | resource "aws_ssm_parameter" "im-interface-soap-odbc-dsn" {
		29 |   name      = "/IMInterface/SOAPServer/ODBC/dsn"
		30 |   type      = "String"
		31 |   value     = "dev-placeholder-soapserver-odbc-dsn"
		32 |   overwrite = true
		33 | 
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-server
	File: /ssm.tf:41-52

		41 | resource "aws_ssm_parameter" "im-interface-soap-odbc-server" {
		42 |   name      = "/IMInterface/SOAPServer/ODBC/server"
		43 |   type      = "String"
		44 |   value     = "dev-placeholder-soapserver-odbc-server"
		45 |   overwrite = true
		46 | 
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-database
	File: /ssm.tf:54-65

		54 | resource "aws_ssm_parameter" "im-interface-soap-odbc-database" {
		55 |   name      = "/IMInterface/SOAPServer/ODBC/database"
		56 |   type      = "String"
		57 |   value     = "dev-placeholder-soapserver-odbc-database"
		58 |   overwrite = true
		59 | 
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-uid
	File: /ssm.tf:67-78

		67 | resource "aws_ssm_parameter" "im-interface-soap-odbc-uid" {
		68 |   name      = "/IMInterface/SOAPServer/ODBC/uid"
		69 |   type      = "String"
		70 |   value     = "dev-placeholder-soapserver-odbc-uid"
		71 |   overwrite = true
		72 | 
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-pwd
	File: /ssm.tf:80-91

		80 | resource "aws_ssm_parameter" "im-interface-soap-odbc-pwd" {
		81 |   name      = "/IMInterface/SOAPServer/ODBC/pwd"
		82 |   type      = "SecureString"
		83 |   value     = "dev-placeholder-soapserver-odbc-pwd"
		84 |   overwrite = true
		85 | 
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndelius-interface-ssm-param
	File: /ssm.tf:93-105

		93  | resource "aws_ssm_parameter" "ndelius-interface-ssm-param" {
		94  |   for_each  = local.ndelius_interface_params.parameter
		95  |   name      = each.value.name
		96  |   type      = each.value.type
		97  |   value     = each.value.value
		98  |   overwrite = each.value.overwrite
		99  | 
		100 |   lifecycle {
		101 |     ignore_changes = [
		102 |       value
		103 |     ]
		104 |   }
		105 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.iaps
	File: /rds.tf:1-46

		1  | resource "aws_db_instance" "iaps" {
		2  |   engine         = "oracle-ee"
		3  |   engine_version = "19"
		4  |   license_model  = "bring-your-own-license"
		5  |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		6  |   db_name        = "IAPS"
		7  |   identifier     = "iaps"
		8  | 
		9  |   username                    = local.application_data.accounts[local.environment].db_user
		10 |   manage_master_user_password = true
		11 |   snapshot_identifier         = length(data.aws_ssm_parameter.iaps_snapshot_data_refresh_id.value) > 0 ? data.aws_ssm_parameter.iaps_snapshot_data_refresh_id.value : null
		12 |   db_subnet_group_name        = aws_db_subnet_group.iaps.id
		13 |   vpc_security_group_ids      = [aws_security_group.iaps_db.id]
		14 | 
		15 |   # tflint-ignore: aws_db_instance_default_parameter_group
		16 |   parameter_group_name        = "default.oracle-ee-19"
		17 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		18 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		19 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		20 |   apply_immediately           = local.application_data.accounts[local.environment].db_apply_immediately
		21 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		22 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		23 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		24 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		25 |   backup_retention_period     = local.application_data.accounts[local.environment].db_backup_retention_period
		26 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		27 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		28 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		29 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		30 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		31 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		32 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		33 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		34 |   kms_key_id                      = data.aws_kms_key.rds_shared.arn
		35 |   storage_encrypted               = true
		36 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		37 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		38 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		39 | 
		40 |   deletion_protection      = local.is-production ? true : false
		41 |   delete_automated_backups = false
		42 | 
		43 |   tags = merge(local.tags,
		44 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		45 |   )
		46 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.iaps_test
	File: /rds.tf:120-165

		120 | resource "aws_db_instance" "iaps_test" {
		121 |   engine         = "oracle-ee"
		122 |   engine_version = "19"
		123 |   license_model  = "bring-your-own-license"
		124 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		125 |   db_name        = "IAPS"
		126 |   identifier     = "iaps-test"
		127 | 
		128 |   username                    = local.application_data.accounts[local.environment].db_user
		129 |   manage_master_user_password = true
		130 |   snapshot_identifier         = length(data.aws_ssm_parameter.iaps_snapshot_data_refresh_id_test.value) > 0 ? data.aws_ssm_parameter.iaps_snapshot_data_refresh_id_test.value : null
		131 |   db_subnet_group_name        = aws_db_subnet_group.iaps.id
		132 |   vpc_security_group_ids      = [aws_security_group.iaps_db.id]
		133 | 
		134 |   # tflint-ignore: aws_db_instance_default_parameter_group
		135 |   parameter_group_name        = "default.oracle-ee-19"
		136 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		137 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		138 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		139 |   apply_immediately           = local.application_data.accounts[local.environment].db_apply_immediately
		140 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		141 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		142 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		143 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		144 |   backup_retention_period     = local.application_data.accounts[local.environment].db_backup_retention_period
		145 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		146 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		147 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		148 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		149 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		150 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		151 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		152 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		153 |   kms_key_id                      = data.aws_kms_key.rds_shared.arn
		154 |   storage_encrypted               = true
		155 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		156 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		157 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		158 | 
		159 |   deletion_protection      = local.is-production ? true : false
		160 |   delete_automated_backups = false
		161 | 
		162 |   tags = merge(local.tags,
		163 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		164 |   )
		165 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.iaps
	File: /ec2-iaps-server.tf:101-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		101 | resource "aws_security_group" "iaps" {
		102 |   name        = lower(format("%s-%s", local.application_name, local.environment))
		103 |   description = "Controls access to IAPS EC2 instance"
		104 |   vpc_id      = data.aws_vpc.shared.id
		105 |   tags        = local.ec2_tags
		106 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.iaps_snapshot_data_refresh_id
	File: /rds.tf:48-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		48 | resource "aws_ssm_parameter" "iaps_snapshot_data_refresh_id" {
		49 |   name        = "/iaps/snapshot_id"
		50 |   description = "The ID of the RDS snapshot used for the IAPS database data refresh"
		51 |   type        = "String"
		52 |   value       = try(local.application_data.accounts[local.environment].db_snapshot_identifier, "")
		53 | 
		54 |   tags = {
		55 |     environment = "production"
		56 |   }
		57 | 
		58 |   lifecycle {
		59 |     ignore_changes = [value]
		60 |   }
		61 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-user
	File: /ssm.tf:2-13
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		2  | resource "aws_ssm_parameter" "im-interface-oracle-user" {
		3  |   name      = "/IMInterface/IAPSOracle/user"
		4  |   type      = "String"
		5  |   value     = "dev-placeholder-iapsoracle-user"
		6  |   overwrite = true
		7  | 
		8  |   lifecycle {
		9  |     ignore_changes = [
		10 |       value
		11 |     ]
		12 |   }
		13 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-dsn
	File: /ssm.tf:28-39
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		28 | resource "aws_ssm_parameter" "im-interface-soap-odbc-dsn" {
		29 |   name      = "/IMInterface/SOAPServer/ODBC/dsn"
		30 |   type      = "String"
		31 |   value     = "dev-placeholder-soapserver-odbc-dsn"
		32 |   overwrite = true
		33 | 
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-server
	File: /ssm.tf:41-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		41 | resource "aws_ssm_parameter" "im-interface-soap-odbc-server" {
		42 |   name      = "/IMInterface/SOAPServer/ODBC/server"
		43 |   type      = "String"
		44 |   value     = "dev-placeholder-soapserver-odbc-server"
		45 |   overwrite = true
		46 | 
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-database
	File: /ssm.tf:54-65
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		54 | resource "aws_ssm_parameter" "im-interface-soap-odbc-database" {
		55 |   name      = "/IMInterface/SOAPServer/ODBC/database"
		56 |   type      = "String"
		57 |   value     = "dev-placeholder-soapserver-odbc-database"
		58 |   overwrite = true
		59 | 
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-uid
	File: /ssm.tf:67-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		67 | resource "aws_ssm_parameter" "im-interface-soap-odbc-uid" {
		68 |   name      = "/IMInterface/SOAPServer/ODBC/uid"
		69 |   type      = "String"
		70 |   value     = "dev-placeholder-soapserver-odbc-uid"
		71 |   overwrite = true
		72 | 
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.ndelius-interface-ssm-param
	File: /ssm.tf:93-105
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		93  | resource "aws_ssm_parameter" "ndelius-interface-ssm-param" {
		94  |   for_each  = local.ndelius_interface_params.parameter
		95  |   name      = each.value.name
		96  |   type      = each.value.type
		97  |   value     = each.value.value
		98  |   overwrite = each.value.overwrite
		99  | 
		100 |   lifecycle {
		101 |     ignore_changes = [
		102 |       value
		103 |     ]
		104 |   }
		105 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:13-23

		13 | resource "aws_secretsmanager_secret" "ad_password" {
		14 |   #checkov:skip=CKV_AWS_149
		15 |   name                    = "${var.networking[0].application}-ad-password"
		16 |   recovery_window_in_days = 0
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${var.networking[0].application}-ad-password"
		21 |     },
		22 |   )
		23 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-iaps

*****************************

Running tflint in terraform/environments/delius-iaps
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/delius-iaps/secrets.tf line 4:
   4: resource "random_password" "ad_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

health_check_script_update_20230814

3d06b67

nbuckingham72 requested review from a team as code owners August 14, 2023 11:10

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Aug 14, 2023

nbuckingham72 had a problem deploying to ppud-development August 14, 2023 11:12 — with GitHub Actions Failure

dms1981 approved these changes Aug 14, 2023

View reviewed changes

nbuckingham72 merged commit aa37f37 into main Aug 14, 2023
7 of 8 checks passed

nbuckingham72 deleted the health_check_script_update_20230814 branch August 14, 2023 12:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

health_check_script_update_20230814 #3080

health_check_script_update_20230814 #3080

nbuckingham72 commented Aug 14, 2023

github-actions bot commented Aug 14, 2023

health_check_script_update_20230814 #3080

health_check_script_update_20230814 #3080

Conversation

nbuckingham72 commented Aug 14, 2023

github-actions bot commented Aug 14, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed