Network Load Balancer Security Group #3365

gwionap · 2023-09-15T08:26:44Z

Attempting to associate a security group with the load balancer and allow connection via redshift security group.

…llow connection via redshift security group.

github-actions · 2023-09-15T08:29:25Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-15T09:11:40Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-15T09:24:35Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-15T09:26:37Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-15T12:32:03Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-15T13:43:05Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-15T13:45:13Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-15T13:57:43Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-09-15T16:26:41Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running TFSEC in terraform/environments/delius-jitbit
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:70
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "allow_all_egress" {
   65      description       = "Allow all outbound traffic to any IPv4 address"
   66      type              = "egress"
   67      from_port         = 0
   68      to_port           = 0
   69      protocol          = "-1"
   70  [   cidr_blocks       = ["0.0.0.0/0"]
   71      security_group_id = aws_security_group.jitbit.id
   72    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-13 CRITICAL Security group rule allows ingress from public internet. (12 similar results)
────────────────────────────────────────────────────────────────────────────────
  lb.tf:36-54
────────────────────────────────────────────────────────────────────────────────
   26    resource "aws_security_group" "load_balancer_security_group" {
   ..  
   36  ┌     cidr_blocks = [
   37  │       "81.134.202.29/32",  # MoJ Digital VPN
   38  │       "217.33.148.210/32", # Digital studio
   39  │       "195.59.75.0/24",    # ARK internet (DOM1)
   40  │       "194.33.192.0/25",   # ARK internet (DOM1)
   41  │       "194.33.193.0/25",   # ARK internet (DOM1)
   42  └       "194.33.196.0/25",   # ARK internet (DOM1)
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - lb.tf:26-81 (aws_security_group.load_balancer_security_group) 12 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Results #14-19 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  lb.tf:56-64
────────────────────────────────────────────────────────────────────────────────
   26    resource "aws_security_group" "load_balancer_security_group" {
   ..  
   56  ┌     ipv6_cidr_blocks = [
   57  │       # Route53 Healthcheck Access Cidrs IPv6
   58  │       "2406:da18:7ff:f800::/53",  # ap-southeast-1 Region
   59  │       "2406:da18:fff:f800::/53",  # ap-southeast-1 Region
   60  │       "2a05:d018:fff:f800::/53",  # eu-west-1 Region
   61  │       "2a05:d018:7ff:f800::/53",  # eu-west-1 Region
   62  └       "2600:1f18:7fff:f800::/53", # us-east-1 Region
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - lb.tf:26-81 (aws_security_group.load_balancer_security_group) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  iam.tf:101
────────────────────────────────────────────────────────────────────────────────
   98    data "aws_iam_policy_document" "ecs_exec" {
   ..  
  101  [     resources = ["*"]
  ...  
  114    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  iam.tf:40
────────────────────────────────────────────────────────────────────────────────
   37    data "aws_iam_policy_document" "ecs_service_policy" {
   ..  
   40  [     resources = ["*"]
   ..  
   52    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #22-23 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  iam.tf:42-50
────────────────────────────────────────────────────────────────────────────────
   37    data "aws_iam_policy_document" "ecs_service_policy" {
   38      statement {
   39        effect    = "Allow"
   40        resources = ["*"]
   41    
   42  ┌     actions = [
   43  │       "elasticloadbalancing:Describe*",
   44  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   45  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - iam.tf:37-52 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  monitoring.tf:6-8
────────────────────────────────────────────────────────────────────────────────
    6    resource "aws_sns_topic" "jitbit_alerting" {
    7      name = "jitbit_alerting"
    8    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:50
────────────────────────────────────────────────────────────────────────────────
   50      deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #26 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:84-87
────────────────────────────────────────────────────────────────────────────────
   84    resource "aws_cloudwatch_log_group" "jitbit" {
   85      name              = format("%s-ecs", local.application_name)
   86      retention_in_days = 30
   87    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  monitoring_app.tf:1-6
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_cloudwatch_log_group" "app_logs" {
    2      name              = "delius-jitbit-app"
    3      retention_in_days = 30
    4    
    5      tags = local.tags
    6    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  waf.tf:59-63
────────────────────────────────────────────────────────────────────────────────
   59    resource "aws_cloudwatch_log_group" "waf" {
   60      name              = "aws-waf-logs-${local.application_name}"
   61      retention_in_days = 60
   62      tags              = local.tags
   63    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.240228ms
  parsing              3.41743945s
  adaptation           5.578619ms
  checks               49.243953ms
  total                3.47350225s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    7
  blocks processed     315
  files read           51

  results
  ──────────────────────────────────────────
  passed               70
  ignored              39
  critical             19
  high                 5
  medium               1
  low                  3

  70 passed, 39 ignored, 28 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Checkov in terraform/environments/delius-jitbit
2023-09-15 16:26:37,611 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2023-09-15 16:26:37,612 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-15 16:26:37,612 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-15 16:26:37,612 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 23, Skipped checks: 8

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-37

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name          = "bastion"
		16 |   bucket_versioning    = true
		17 |   bucket_force_destroy = true
		18 |   # public keys
		19 |   public_key_data = local.public_key_data.keys[local.environment]
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 |   # bastion
		26 |   allow_ssh_commands = false
		27 | 
		28 |   app_name      = var.networking[0].application
		29 |   business_unit = local.vpc_name
		30 |   subnet_set    = local.subnet_set
		31 |   environment   = local.environment
		32 |   region        = "eu-west-2"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-app"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-app"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:36-79

		36 | resource "aws_db_instance" "jitbit" {
		37 |   engine         = "sqlserver-se"
		38 |   license_model  = "license-included"
		39 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		40 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		41 |   identifier     = "${local.application_name}-${local.environment}-database"
		42 |   username       = local.application_data.accounts[local.environment].db_user
		43 | 
		44 |   manage_master_user_password = true
		45 | 
		46 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		47 | 
		48 |   # tflint-ignore: aws_db_instance_default_parameter_group
		49 |   parameter_group_name        = "default.sqlserver-se-15.0"
		50 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		51 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		52 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		53 |   final_snapshot_identifier   = try(local.application_data.accounts[local.environment].db_final_snapshot_identifier, null)
		54 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		55 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		56 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		57 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		58 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		59 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		60 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		61 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		62 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		63 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		64 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		65 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		66 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		67 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		68 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		69 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		70 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		71 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		72 |   storage_encrypted               = true
		73 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		74 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		75 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		76 |   tags = merge(local.tags,
		77 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		78 |   )
		79 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.this
	File: /waf.tf:1-53
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.waf
	File: /waf.tf:59-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		59 | resource "aws_cloudwatch_log_group" "waf" {
		60 |   name              = "aws-waf-logs-${local.application_name}"
		61 |   retention_in_days = 60
		62 |   tags              = local.tags
		63 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:36-79

		36 | resource "aws_db_instance" "jitbit" {
		37 |   engine         = "sqlserver-se"
		38 |   license_model  = "license-included"
		39 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		40 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		41 |   identifier     = "${local.application_name}-${local.environment}-database"
		42 |   username       = local.application_data.accounts[local.environment].db_user
		43 | 
		44 |   manage_master_user_password = true
		45 | 
		46 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		47 | 
		48 |   # tflint-ignore: aws_db_instance_default_parameter_group
		49 |   parameter_group_name        = "default.sqlserver-se-15.0"
		50 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		51 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		52 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		53 |   final_snapshot_identifier   = try(local.application_data.accounts[local.environment].db_final_snapshot_identifier, null)
		54 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		55 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		56 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		57 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		58 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		59 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		60 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		61 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		62 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		63 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		64 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		65 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		66 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		67 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		68 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		69 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		70 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		71 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		72 |   storage_encrypted               = true
		73 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		74 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		75 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		76 |   tags = merge(local.tags,
		77 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		78 |   )
		79 | }


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Attempting to associate a security group with the load balancer and a…

977b08d

…llow connection via redshift security group.

gwionap requested review from a team as code owners September 15, 2023 08:26

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 15, 2023

gwionap had a problem deploying to data-and-insights-wepi-development September 15, 2023 08:28 — with GitHub Actions Failure

gwionap deployed to data-and-insights-wepi-development September 15, 2023 08:43 — with GitHub Actions Active

Add egress to redshift from load balancer security group.

727decb

gwionap added 2 commits September 15, 2023 10:21

Update lb redshfit egress rule.

c9cf820

Added missing security group id.

c17e175

gwionap deployed to data-and-insights-wepi-development September 15, 2023 09:25 — with GitHub Actions Active

Updated ingress rule for load balancer.

be9b34b

gwionap deployed to data-and-insights-wepi-development September 15, 2023 12:30 — with GitHub Actions Active

gwionap added 2 commits September 15, 2023 14:39

Attempting to enable SSL connections to fix certificate hostname issue.

88d1e49

Fixing duplicate named resources.

e379f2e

gwionap deployed to data-and-insights-wepi-development September 15, 2023 13:43 — with GitHub Actions Active

Attach target group to lb.

9da2513

gwionap deployed to data-and-insights-wepi-development September 15, 2023 13:55 — with GitHub Actions Active

Remmove port 443 listener and rules.

0596882

gwionap deployed to data-and-insights-wepi-development September 15, 2023 16:25 — with GitHub Actions Active

dms1981 approved these changes Sep 18, 2023

View reviewed changes

gwionap merged commit c4d2ff1 into main Sep 18, 2023
10 of 13 checks passed

gwionap deleted the data-and-insights-lb-security-group branch September 18, 2023 13:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Network Load Balancer Security Group #3365

Network Load Balancer Security Group #3365

gwionap commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

Network Load Balancer Security Group #3365

Network Load Balancer Security Group #3365

Conversation

gwionap commented Sep 15, 2023

github-actions bot commented Sep 15, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 15, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 15, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 15, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 15, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 15, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 15, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 15, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Sep 15, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Success