Test_Instance_120923_2 #3341

nbuckingham72 · 2023-09-12T08:36:54Z

No description provided.

github-actions · 2023-09-12T08:39:49Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:197
────────────────────────────────────────────────────────────────────────────────
  191    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  192      description       = "Allow all outbound traffic to any IPv4 address"
  193      type              = "egress"
  194      from_port         = 0
  195      to_port           = 0
  196      protocol          = "-1"
  197  [   cidr_blocks       = ["0.0.0.0/0"]
  198      security_group_id = aws_security_group.weblogic.id
  199    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-16 HIGH IAM policy document uses sensitive action 's3:ListBucket' on wildcarded resource 'arn:aws:s3:::mod-platform-image-artefact-bucket*/*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:105-108
────────────────────────────────────────────────────────────────────────────────
   98    data "aws_iam_policy_document" "core_shared_services_bucket_access" {
   99      statement {
  100        effect = "Allow"
  101        actions = [
  102          "s3:ListBucket",
  103          "s3:GetObject"
  104        ]
  105  ┌     resources = [
  106  └       "arn:aws:s3:::mod-platform-image-artefact-bucket*/*",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_ec2.tf:98-110 (data.aws_iam_policy_document.core_shared_services_bucket_access) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #17-20 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:73-82
────────────────────────────────────────────────────────────────────────────────
   70    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   71      statement {
   72        effect = "Allow"
   73  ┌     actions = [
   74  │       "kms:Encrypt",
   75  │       "kms:Decrypt",
   76  │       "kms:ReEncrypt*",
   77  │       "kms:GenerateDataKey*",
   78  └       "kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_ec2.tf:70-87 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #24-25 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173  │       "elasticloadbalancing:Describe*",
  174  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #26 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210  │       "s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 7
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:44-51
────────────────────────────────────────────────────────────────────────────────
   44    resource "aws_security_group_rule" "efs_ingress" {
   45      type                     = "ingress"
   46      from_port                = 2049
   47      to_port                  = 2049
   48      protocol                 = "tcp"
   49      source_security_group_id = aws_security_group.ldap.id
   50      security_group_id        = aws_security_group.ldap_efs.id
   51    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:53-60
────────────────────────────────────────────────────────────────────────────────
   53    resource "aws_security_group_rule" "efs_egress" {
   54      type              = "egress"
   55      from_port         = 0
   56      to_port           = 0
   57      protocol          = "all"
   58      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   59      security_group_id = aws_security_group.ldap_efs.id
   60    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:211-215
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  212      name              = format("%s-%s", var.env_name, var.weblogic_config.frontend_fully_qualified_name)
  213      retention_in_days = 7
  214      tags              = local.tags
  215    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.6311ms
  parsing              3.468701057s
  adaptation           8.364102ms
  checks               19.023005ms
  total                3.497719264s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    12
  blocks processed     552
  files read           63

  results
  ──────────────────────────────────────────
  passed               214
  ignored              14
  critical             2
  high                 25
  medium               0
  low                  7

  214 passed, 14 ignored, 34 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-09-12 08:39:44,818 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-09-12 08:39:44,818 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-09-12 08:39:44,818 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-09-12 08:39:44,818 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 613, Failed checks: 72, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:61-66
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:61-66

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 7
		274 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 7
		274 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:44-51
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		44 | resource "aws_security_group_rule" "efs_ingress" {
		45 |   type                     = "ingress"
		46 |   from_port                = 2049
		47 |   to_port                  = 2049
		48 |   protocol                 = "tcp"
		49 |   source_security_group_id = aws_security_group.ldap.id
		50 |   security_group_id        = aws_security_group.ldap_efs.id
		51 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:53-60
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		53 | resource "aws_security_group_rule" "efs_egress" {
		54 |   type              = "egress"
		55 |   from_port         = 0
		56 |   to_port           = 0
		57 |   protocol          = "all"
		58 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		59 |   security_group_id = aws_security_group.ldap_efs.id
		60 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:39-51
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "delius_core_frontend" {
		40 |   # checkov:skip=CKV_AWS_91
		41 |   # checkov:skip=CKV2_AWS_28
		42 | 
		43 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		44 |   internal           = false
		45 |   load_balancer_type = "application"
		46 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		47 |   subnets            = var.account_config.private_subnet_ids
		48 | 
		49 |   enable_deletion_protection = false
		50 |   drop_invalid_header_fields = true
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s/%s/JCBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s/%s/JCBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-59

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:211-215
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		211 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		212 |   name              = format("%s-%s", var.env_name, var.weblogic_config.frontend_fully_qualified_name)
		213 |   retention_in_days = 7
		214 |   tags              = local.tags
		215 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:211-215

		211 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		212 |   name              = format("%s-%s", var.env_name, var.weblogic_config.frontend_fully_qualified_name)
		213 |   retention_in_days = 7
		214 |   tags              = local.tags
		215 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.delius_db_security_group
	File: /db_service.tf:80-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		80 | resource "aws_security_group" "delius_db_security_group" {
		81 |   name        = "Delius Core DB"
		82 |   description = "Rules for the delius testing db ecs service"
		83 |   vpc_id      = var.account_config.shared_vpc_id
		84 |   tags        = local.tags
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.delius_core_frontend_security_group
	File: /weblogic_service.tf:111-116
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		111 | resource "aws_security_group" "delius_core_frontend_security_group" {
		112 |   name        = "Delius Core Frontend Weblogic"
		113 |   description = "Rules for the delius testing frontend ecs service"
		114 |   vpc_id      = var.account_config.shared_vpc_id
		115 |   tags        = local.tags
		116 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic
	File: /weblogic_service.tf:181-189
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		181 | resource "aws_security_group" "weblogic" {
		182 |   name        = "${var.env_name}-weblogic-sg"
		183 |   description = "Security group for the ${var.env_name} weblogic service"
		184 |   vpc_id      = var.account_info.vpc_id
		185 |   tags        = local.tags
		186 |   lifecycle {
		187 |     create_before_destroy = true
		188 |   }
		189 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.25.202"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Test_Instance_120923_2

5862356

nbuckingham72 requested review from a team as code owners September 12, 2023 08:36

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 12, 2023

ep-93 approved these changes Sep 12, 2023

View reviewed changes

ep-93 merged commit eccbab9 into main Sep 12, 2023
12 of 13 checks passed

ep-93 deleted the Test_Instance_120923_2 branch September 12, 2023 08:53

vladimir-kovalyov pushed a commit that referenced this pull request Sep 14, 2023

Test_Instance_120923_2 (#3341)

0532ed5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Test_Instance_120923_2 #3341

Test_Instance_120923_2 #3341

nbuckingham72 commented Sep 12, 2023

github-actions bot commented Sep 12, 2023

Test_Instance_120923_2 #3341

Test_Instance_120923_2 #3341

Conversation

nbuckingham72 commented Sep 12, 2023

github-actions bot commented Sep 12, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Success

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Success