Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new acm-cert for dev.legal.service #3083

Merged
merged 13 commits into from
Aug 17, 2023
Merged

new acm-cert for dev.legal.service #3083

merged 13 commits into from
Aug 17, 2023

Conversation

tajewole-moj
Copy link
Contributor

No description provided.

@tajewole-moj tajewole-moj requested review from a team as code owners August 14, 2023 11:54
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Aug 14, 2023
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/nomis

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             2.21509ms
  parsing              515.888501ms
  adaptation           602.851µs
  checks               19.573865ms
  total                538.280307ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     270
  files read           73

  results
  ──────────────────────────────────────────
  passed               39
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/nomis

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 110, Failed checks: 16, Skipped checks: 4

Check: CKV_AWS_112: "Ensure Session Manager data is encrypted in transit"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-session-manager-data-is-encrypted-in-transit.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_113: "Ensure Session Manager logs are enabled and encrypted"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-networking-62.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ec2_common.tf:322-370

		322 | data "aws_iam_policy_document" "cloudwatch_datasource" {
		323 |   statement {
		324 |     sid    = "AllowReadingMetricsFromCloudWatch"
		325 |     effect = "Allow"
		326 |     actions = [
		327 |       "cloudwatch:DescribeAlarmsForMetric",
		328 |       "cloudwatch:DescribeAlarmHistory",
		329 |       "cloudwatch:DescribeAlarms",
		330 |       "cloudwatch:ListMetrics",
		331 |       "cloudwatch:GetMetricData",
		332 |       "cloudwatch:GetInsightRuleReport"
		333 |     ]
		334 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		335 |     resources = ["*"]
		336 |   }
		337 |   statement {
		338 |     sid    = "AllowReadingLogsFromCloudWatch"
		339 |     effect = "Allow"
		340 |     actions = [
		341 |       "logs:DescribeLogGroups",
		342 |       "logs:GetLogGroupFields",
		343 |       "logs:StartQuery",
		344 |       "logs:StopQuery",
		345 |       "logs:GetQueryResults",
		346 |       "logs:GetLogEvents"
		347 |     ]
		348 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		349 |     resources = ["*"]
		350 |   }
		351 |   statement {
		352 |     sid    = "AllowReadingTagsInstancesRegionsFromEC2"
		353 |     effect = "Allow"
		354 |     actions = [
		355 |       "ec2:DescribeTags",
		356 |       "ec2:DescribeInstances",
		357 |       "ec2:DescribeRegions"
		358 |     ]
		359 |     resources = ["*"]
		360 |   }
		361 |   statement {
		362 |     sid    = "AllowReadingResourcesForTags"
		363 |     effect = "Allow"
		364 |     actions = [
		365 |       "tag:GetResources"
		366 |     ]
		367 |     resources = ["*"]
		368 |   }
		369 | 
		370 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-164

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-164

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-164

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:51-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		51 | resource "aws_ssm_parameter" "fixed" {
		52 |   for_each = merge(
		53 |     local.ssm_parameters_value,
		54 |     local.ssm_parameters_random,
		55 |     local.ssm_parameters_file
		56 |   )
		57 | 
		58 |   name        = each.key
		59 |   description = each.value.description
		60 |   type        = each.value.type
		61 |   key_id      = each.value.key_id != null ? try(var.environment.kms_keys[each.value.key_id].arn, each.value.key_id) : null
		62 |   value       = each.value.value
		63 | 
		64 |   tags = merge(local.tags, {
		65 |     Name = each.key
		66 |   })
		67 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:69-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		69 | resource "aws_ssm_parameter" "placeholder" {
		70 |   for_each = local.ssm_parameters_default
		71 | 
		72 |   name        = each.key
		73 |   description = each.value.description
		74 |   type        = each.value.type
		75 |   key_id      = each.value.key_id != null ? try(var.environment.kms_keys[each.value.key_id].arn, each.value.key_id) : null
		76 |   value       = each.value.value
		77 | 
		78 |   tags = merge(local.tags, {
		79 |     Name = each.key
		80 |   })
		81 | 
		82 |   lifecycle {
		83 |     ignore_changes = [value]
		84 |   }
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 22:
  22:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 37:
  37:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 41:
  41:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 50:
  50:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 65:
  65:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 69:
  69:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/nomis

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             2.288628ms
  parsing              418.975285ms
  adaptation           573.407µs
  checks               12.362959ms
  total                434.200279ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     270
  files read           73

  results
  ──────────────────────────────────────────
  passed               39
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/nomis

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 110, Failed checks: 16, Skipped checks: 4

Check: CKV_AWS_112: "Ensure Session Manager data is encrypted in transit"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-session-manager-data-is-encrypted-in-transit.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_113: "Ensure Session Manager logs are enabled and encrypted"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-networking-62.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ec2_common.tf:322-370

		322 | data "aws_iam_policy_document" "cloudwatch_datasource" {
		323 |   statement {
		324 |     sid    = "AllowReadingMetricsFromCloudWatch"
		325 |     effect = "Allow"
		326 |     actions = [
		327 |       "cloudwatch:DescribeAlarmsForMetric",
		328 |       "cloudwatch:DescribeAlarmHistory",
		329 |       "cloudwatch:DescribeAlarms",
		330 |       "cloudwatch:ListMetrics",
		331 |       "cloudwatch:GetMetricData",
		332 |       "cloudwatch:GetInsightRuleReport"
		333 |     ]
		334 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		335 |     resources = ["*"]
		336 |   }
		337 |   statement {
		338 |     sid    = "AllowReadingLogsFromCloudWatch"
		339 |     effect = "Allow"
		340 |     actions = [
		341 |       "logs:DescribeLogGroups",
		342 |       "logs:GetLogGroupFields",
		343 |       "logs:StartQuery",
		344 |       "logs:StopQuery",
		345 |       "logs:GetQueryResults",
		346 |       "logs:GetLogEvents"
		347 |     ]
		348 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		349 |     resources = ["*"]
		350 |   }
		351 |   statement {
		352 |     sid    = "AllowReadingTagsInstancesRegionsFromEC2"
		353 |     effect = "Allow"
		354 |     actions = [
		355 |       "ec2:DescribeTags",
		356 |       "ec2:DescribeInstances",
		357 |       "ec2:DescribeRegions"
		358 |     ]
		359 |     resources = ["*"]
		360 |   }
		361 |   statement {
		362 |     sid    = "AllowReadingResourcesForTags"
		363 |     effect = "Allow"
		364 |     actions = [
		365 |       "tag:GetResources"
		366 |     ]
		367 |     resources = ["*"]
		368 |   }
		369 | 
		370 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-164

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-164

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-164

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:51-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		51 | resource "aws_ssm_parameter" "fixed" {
		52 |   for_each = merge(
		53 |     local.ssm_parameters_value,
		54 |     local.ssm_parameters_random,
		55 |     local.ssm_parameters_file
		56 |   )
		57 | 
		58 |   name        = each.key
		59 |   description = each.value.description
		60 |   type        = each.value.type
		61 |   key_id      = each.value.key_id != null ? try(var.environment.kms_keys[each.value.key_id].arn, each.value.key_id) : null
		62 |   value       = each.value.value
		63 | 
		64 |   tags = merge(local.tags, {
		65 |     Name = each.key
		66 |   })
		67 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:69-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		69 | resource "aws_ssm_parameter" "placeholder" {
		70 |   for_each = local.ssm_parameters_default
		71 | 
		72 |   name        = each.key
		73 |   description = each.value.description
		74 |   type        = each.value.type
		75 |   key_id      = each.value.key_id != null ? try(var.environment.kms_keys[each.value.key_id].arn, each.value.key_id) : null
		76 |   value       = each.value.value
		77 | 
		78 |   tags = merge(local.tags, {
		79 |     Name = each.key
		80 |   })
		81 | 
		82 |   lifecycle {
		83 |     ignore_changes = [value]
		84 |   }
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 22:
  22:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 37:
  37:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 41:
  41:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 50:
  50:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 65:
  65:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 69:
  69:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/nomis

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             2.409246ms
  parsing              463.366409ms
  adaptation           762.715µs
  checks               15.488705ms
  total                482.027075ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     270
  files read           73

  results
  ──────────────────────────────────────────
  passed               39
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/nomis

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 110, Failed checks: 16, Skipped checks: 4

Check: CKV_AWS_112: "Ensure Session Manager data is encrypted in transit"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-session-manager-data-is-encrypted-in-transit.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_113: "Ensure Session Manager logs are enabled and encrypted"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-networking-62.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ec2_common.tf:322-370

		322 | data "aws_iam_policy_document" "cloudwatch_datasource" {
		323 |   statement {
		324 |     sid    = "AllowReadingMetricsFromCloudWatch"
		325 |     effect = "Allow"
		326 |     actions = [
		327 |       "cloudwatch:DescribeAlarmsForMetric",
		328 |       "cloudwatch:DescribeAlarmHistory",
		329 |       "cloudwatch:DescribeAlarms",
		330 |       "cloudwatch:ListMetrics",
		331 |       "cloudwatch:GetMetricData",
		332 |       "cloudwatch:GetInsightRuleReport"
		333 |     ]
		334 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		335 |     resources = ["*"]
		336 |   }
		337 |   statement {
		338 |     sid    = "AllowReadingLogsFromCloudWatch"
		339 |     effect = "Allow"
		340 |     actions = [
		341 |       "logs:DescribeLogGroups",
		342 |       "logs:GetLogGroupFields",
		343 |       "logs:StartQuery",
		344 |       "logs:StopQuery",
		345 |       "logs:GetQueryResults",
		346 |       "logs:GetLogEvents"
		347 |     ]
		348 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		349 |     resources = ["*"]
		350 |   }
		351 |   statement {
		352 |     sid    = "AllowReadingTagsInstancesRegionsFromEC2"
		353 |     effect = "Allow"
		354 |     actions = [
		355 |       "ec2:DescribeTags",
		356 |       "ec2:DescribeInstances",
		357 |       "ec2:DescribeRegions"
		358 |     ]
		359 |     resources = ["*"]
		360 |   }
		361 |   statement {
		362 |     sid    = "AllowReadingResourcesForTags"
		363 |     effect = "Allow"
		364 |     actions = [
		365 |       "tag:GetResources"
		366 |     ]
		367 |     resources = ["*"]
		368 |   }
		369 | 
		370 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-164

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-164

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-164

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:51-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		51 | resource "aws_ssm_parameter" "fixed" {
		52 |   for_each = merge(
		53 |     local.ssm_parameters_value,
		54 |     local.ssm_parameters_random,
		55 |     local.ssm_parameters_file
		56 |   )
		57 | 
		58 |   name        = each.key
		59 |   description = each.value.description
		60 |   type        = each.value.type
		61 |   key_id      = each.value.key_id != null ? try(var.environment.kms_keys[each.value.key_id].arn, each.value.key_id) : null
		62 |   value       = each.value.value
		63 | 
		64 |   tags = merge(local.tags, {
		65 |     Name = each.key
		66 |   })
		67 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:69-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		69 | resource "aws_ssm_parameter" "placeholder" {
		70 |   for_each = local.ssm_parameters_default
		71 | 
		72 |   name        = each.key
		73 |   description = each.value.description
		74 |   type        = each.value.type
		75 |   key_id      = each.value.key_id != null ? try(var.environment.kms_keys[each.value.key_id].arn, each.value.key_id) : null
		76 |   value       = each.value.value
		77 | 
		78 |   tags = merge(local.tags, {
		79 |     Name = each.key
		80 |   })
		81 | 
		82 |   lifecycle {
		83 |     ignore_changes = [value]
		84 |   }
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 22:
  22:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 37:
  37:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 41:
  41:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 50:
  50:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 65:
  65:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 69:
  69:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/nomis

*****************************

Running TFSEC in terraform/environments/nomis
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             3.665823ms
  parsing              605.395225ms
  adaptation           717.805µs
  checks               22.243448ms
  total                632.022301ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     270
  files read           73

  results
  ──────────────────────────────────────────
  passed               39
  ignored              4
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/nomis

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 110, Failed checks: 16, Skipped checks: 4

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /ec2_common.tf:322-370

		322 | data "aws_iam_policy_document" "cloudwatch_datasource" {
		323 |   statement {
		324 |     sid    = "AllowReadingMetricsFromCloudWatch"
		325 |     effect = "Allow"
		326 |     actions = [
		327 |       "cloudwatch:DescribeAlarmsForMetric",
		328 |       "cloudwatch:DescribeAlarmHistory",
		329 |       "cloudwatch:DescribeAlarms",
		330 |       "cloudwatch:ListMetrics",
		331 |       "cloudwatch:GetMetricData",
		332 |       "cloudwatch:GetInsightRuleReport"
		333 |     ]
		334 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		335 |     resources = ["*"]
		336 |   }
		337 |   statement {
		338 |     sid    = "AllowReadingLogsFromCloudWatch"
		339 |     effect = "Allow"
		340 |     actions = [
		341 |       "logs:DescribeLogGroups",
		342 |       "logs:GetLogGroupFields",
		343 |       "logs:StartQuery",
		344 |       "logs:StopQuery",
		345 |       "logs:GetQueryResults",
		346 |       "logs:GetLogEvents"
		347 |     ]
		348 |     #tfsec:ignore:aws-iam-no-policy-wildcards
		349 |     resources = ["*"]
		350 |   }
		351 |   statement {
		352 |     sid    = "AllowReadingTagsInstancesRegionsFromEC2"
		353 |     effect = "Allow"
		354 |     actions = [
		355 |       "ec2:DescribeTags",
		356 |       "ec2:DescribeInstances",
		357 |       "ec2:DescribeRegions"
		358 |     ]
		359 |     resources = ["*"]
		360 |   }
		361 |   statement {
		362 |     sid    = "AllowReadingResourcesForTags"
		363 |     effect = "Allow"
		364 |     actions = [
		365 |       "tag:GetResources"
		366 |     ]
		367 |     resources = ["*"]
		368 |   }
		369 | 
		370 | }

Check: CKV_AWS_112: "Ensure Session Manager data is encrypted in transit"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-session-manager-data-is-encrypted-in-transit.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_113: "Ensure Session Manager logs are enabled and encrypted"
	FAILED for resource: aws_ssm_document.session_manager_settings
	File: /ec2_common.tf:5-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-networking-62.html

		5  | resource "aws_ssm_document" "session_manager_settings" {
		6  |   name            = "SSM-SessionManagerRunShell"
		7  |   document_type   = "Session"
		8  |   document_format = "JSON"
		9  | 
		10 |   content = jsonencode(
		11 |     {
		12 |       schemaVersion = "1.0"
		13 |       description   = "Document to hold regional settings for Session Manager"
		14 |       sessionType   = "Standard_Stream",
		15 |       inputs = {
		16 |         cloudWatchLogGroupName      = "session-manager-logs"
		17 |         cloudWatchEncryptionEnabled = false
		18 |         cloudWatchStreamingEnabled  = true
		19 |         s3BucketName                = ""
		20 |         s3KeyPrefix                 = ""
		21 |         s3EncryptionEnabled         = false
		22 |         idleSessionTimeout          = "20"
		23 |         kmsKeyId                    = "" # aws_kms_key.session_manager.arn
		24 |         runAsEnabled                = false
		25 |         runAsDefaultUser            = ""
		26 |         shellProfile = {
		27 |           windows = ""
		28 |           linux   = ""
		29 |         }
		30 |       }
		31 |     }
		32 |   )
		33 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-164

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-164

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-164

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-164
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-164

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:51-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		51 | resource "aws_ssm_parameter" "fixed" {
		52 |   for_each = merge(
		53 |     local.ssm_parameters_value,
		54 |     local.ssm_parameters_random,
		55 |     local.ssm_parameters_file
		56 |   )
		57 | 
		58 |   name        = each.key
		59 |   description = each.value.description
		60 |   type        = each.value.type
		61 |   key_id      = each.value.key_id != null ? try(var.environment.kms_keys[each.value.key_id].arn, each.value.key_id) : null
		62 |   value       = each.value.value
		63 | 
		64 |   tags = merge(local.tags, {
		65 |     Name = each.key
		66 |   })
		67 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:69-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		69 | resource "aws_ssm_parameter" "placeholder" {
		70 |   for_each = local.ssm_parameters_default
		71 | 
		72 |   name        = each.key
		73 |   description = each.value.description
		74 |   type        = each.value.type
		75 |   key_id      = each.value.key_id != null ? try(var.environment.kms_keys[each.value.key_id].arn, each.value.key_id) : null
		76 |   value       = each.value.value
		77 | 
		78 |   tags = merge(local.tags, {
		79 |     Name = each.key
		80 |   })
		81 | 
		82 |   lifecycle {
		83 |     ignore_changes = [value]
		84 |   }
		85 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
6 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 22:
  22:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 37:
  37:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 41:
  41:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 50:
  50:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 65:
  65:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/nomis/locals_security_groups.tf line 69:
  69:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@tajewole-moj tajewole-moj temporarily deployed to portal-development August 15, 2023 11:52 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@vc13837 vc13837 temporarily deployed to portal-development August 16, 2023 12:20 — with GitHub Actions Inactive
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@tajewole-moj tajewole-moj merged commit d16f610 into main Aug 17, 2023
@tajewole-moj tajewole-moj deleted the create-SSL-cert-LAWS-3314 branch August 17, 2023 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vc13837 vc13837 vc13837 approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tajewole-moj @vc13837