rename server instance

[robertsweetman]

can't duplicate the server name that the asg has

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095
  timings
  ──────────────────────────────────────────
  disk i/o             1.697419ms
  parsing              198.577752ms
  adaptation           125.301µs
  checks               16.278193ms
  total                216.678665ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     262
  files read           69

  results
  ──────────────────────────────────────────
  passed               3
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 92, Failed checks: 14, Skipped checks: 4

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.baseline.aws_backup_vault.this
	File: /../../modules/baseline/backups.tf:35-43
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		35 | resource "aws_backup_vault" "this" {
		36 |   for_each = local.backup_vaults
		37 | 
		38 |   name = each.key
		39 | 
		40 |   tags = merge(local.tags, each.value.tags, {
		41 |     Name = each.key
		42 |   })
		43 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.bastion_linux[0]
	File: /../../modules/baseline/bastion_linux.tf:1-36
	Calling File: /main.tf:33-134

		1  | module "bastion_linux" {
		2  |   count = var.bastion_linux != null ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		5  | 
		6  |   providers = {
		7  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		8  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		9  |   }
		10 | 
		11 |   # s3 - used for logs and user ssh public keys
		12 |   bucket_name          = var.bastion_linux.bucket_name
		13 |   bucket_versioning    = var.bastion_linux.bucket_versioning
		14 |   bucket_force_destroy = var.bastion_linux.bucket_force_destroy
		15 | 
		16 |   # public keys
		17 |   public_key_data = var.bastion_linux.public_key_data
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = var.bastion_linux.log_auto_clean
		21 |   log_standard_ia_days = var.bastion_linux.log_standard_ia_days
		22 |   log_glacier_days     = var.bastion_linux.log_glacier_days
		23 |   log_expiry_days      = var.bastion_linux.log_expiry_days
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = var.bastion_linux.allow_ssh_commands
		27 | 
		28 |   app_name                = var.environment.application_name
		29 |   business_unit           = var.environment.business_unit
		30 |   subnet_set              = var.environment.subnet_set
		31 |   environment             = var.environment.environment
		32 |   region                  = var.environment.region
		33 |   extra_user_data_content = var.bastion_linux.extra_user_data_content
		34 |   tags_common             = merge(local.tags, var.bastion_linux.tags)
		35 |   tags_prefix             = terraform.workspace
		36 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_autoscaling_group
	File: /../../modules/baseline/ec2_autoscaling_group.tf:13-77
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.ec2_instance
	File: /../../modules/baseline/ec2_instance.tf:1-58
	Calling File: /main.tf:33-134

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.lb
	File: /../../modules/baseline/lb.tf:17-48
	Calling File: /main.tf:33-134

		17 | module "lb" {
		18 |   for_each = var.lbs
		19 | 
		20 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.0.0"
		21 | 
		22 |   providers = {
		23 |     aws.bucket-replication = aws
		24 |   }
		25 | 
		26 |   account_number             = var.environment.account_id
		27 |   application_name           = each.key
		28 |   enable_deletion_protection = each.value.enable_delete_protection
		29 |   force_destroy_bucket       = each.value.force_destroy_bucket
		30 |   idle_timeout               = each.value.idle_timeout
		31 |   internal_lb                = each.value.internal_lb
		32 |   load_balancer_type         = each.value.load_balancer_type
		33 |   lb_target_groups           = each.value.lb_target_groups
		34 |   access_logs                = lookup(each.value, "access_logs", true)
		35 | 
		36 |   security_groups = [
		37 |     for sg in each.value.security_groups : lookup(aws_security_group.this, sg, null) != null ? aws_security_group.this[sg].id : sg
		38 |   ]
		39 | 
		40 |   public_subnets = each.value.public_subnets
		41 |   region         = var.environment.region
		42 |   vpc_all        = var.environment.vpc_name
		43 |   tags           = merge(local.tags, each.value.tags)
		44 | 
		45 |   depends_on = [
		46 |     module.ec2_autoscaling_group, # ensure ASG target groups are created first
		47 |   ]
		48 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.baseline.s3_bucket
	File: /../../modules/baseline/s3_bucket.tf:29-55
	Calling File: /main.tf:33-134

		29 | module "s3_bucket" {
		30 |   for_each = var.s3_buckets
		31 | 
		32 |   source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		33 | 
		34 |   providers = {
		35 |     aws.bucket-replication = aws
		36 |   }
		37 | 
		38 |   bucket_prefix              = each.key
		39 |   acl                        = each.value.acl
		40 |   versioning_enabled         = each.value.versioning_enabled
		41 |   replication_enabled        = each.value.replication_enabled
		42 |   replication_region         = coalesce(each.value.replication_region, var.environment.region)
		43 |   bucket_policy              = each.value.bucket_policy
		44 |   bucket_policy_v2           = each.value.bucket_policy_v2
		45 |   custom_kms_key             = coalesce(each.value.custom_kms_key, var.environment.kms_keys["general"].arn)
		46 |   custom_replication_kms_key = coalesce(each.value.custom_replication_kms_key, var.environment.kms_keys["general"].arn)
		47 |   lifecycle_rule             = each.value.lifecycle_rule
		48 |   log_bucket                 = each.value.log_bucket
		49 |   log_prefix                 = each.value.log_prefix
		50 |   replication_role_arn       = each.value.replication_role_arn
		51 |   force_destroy              = each.value.force_destroy
		52 |   sse_algorithm              = each.value.sse_algorithm
		53 | 
		54 |   tags = merge(local.tags, each.value.tags)
		55 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.baseline.aws_security_group.route53_resolver[0]
	File: /../../modules/baseline/route53.tf:266-278
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		266 | resource "aws_security_group" "route53_resolver" {
		267 |   count = length(var.route53_resolvers) != 0 ? 1 : 0
		268 | 
		269 |   provider = aws.core-vpc
		270 | 
		271 |   name        = "${var.environment.application_name}-route53-resolver"
		272 |   description = "Route53 resolver security group for ${var.environment.application_name}"
		273 |   vpc_id      = var.environment.vpc.id
		274 | 
		275 |   tags = merge(local.tags, {
		276 |     Name = "${var.environment.application_name}-route53-resolver"
		277 |   })
		278 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.fixed
	File: /../../modules/baseline/ssm.tf:56-72
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		56 | resource "aws_ssm_parameter" "fixed" {
		57 |   for_each = merge(
		58 |     local.ssm_parameters_value,
		59 |     local.ssm_parameters_random,
		60 |     local.ssm_parameters_file
		61 |   )
		62 | 
		63 |   name        = each.key
		64 |   description = each.value.description
		65 |   type        = each.value.type
		66 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		67 |   value       = each.value.value
		68 | 
		69 |   tags = merge(local.tags, {
		70 |     Name = each.key
		71 |   })
		72 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: module.baseline.aws_ssm_parameter.placeholder
	File: /../../modules/baseline/ssm.tf:74-90
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		74 | resource "aws_ssm_parameter" "placeholder" {
		75 |   for_each = local.ssm_parameters_default
		76 | 
		77 |   name        = each.key
		78 |   description = each.value.description
		79 |   type        = each.value.type
		80 |   key_id      = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		81 |   value       = each.value.value
		82 | 
		83 |   tags = merge(local.tags, {
		84 |     Name = each.key
		85 |   })
		86 | 
		87 |   lifecycle {
		88 |     ignore_changes = [value]
		89 |   }
		90 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.baseline.aws_secretsmanager_secret.this
	File: /../../modules/baseline/secretsmanager.tf:93-110

		93  | resource "aws_secretsmanager_secret" "this" {
		94  |   for_each = merge(
		95  |     local.secretsmanager_secrets_value,
		96  |     local.secretsmanager_secrets_random,
		97  |     local.secretsmanager_secrets_file,
		98  |     local.secretsmanager_secrets_default
		99  |   )
		100 | 
		101 |   name                    = each.key
		102 |   description             = each.value.description
		103 |   kms_key_id              = each.value.kms_key_id != null ? try(var.environment.kms_keys[each.value.kms_key_id].arn, each.value.kms_key_id) : null
		104 |   policy                  = each.value.policy != null ? data.aws_iam_policy_document.secretsmanager_secret_policy[each.value.policy_key].json : null
		105 |   recovery_window_in_days = each.value.recovery_window_in_days
		106 | 
		107 |   tags = merge(local.tags, {
		108 |     Name = each.key
		109 |   })
		110 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 23:
  23:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 27:
  27:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 52:
  52:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 56:
  56:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2