Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create ACM certificate for DIH #3394

Closed
wants to merge 8 commits into from
Closed

Conversation

dms1981
Copy link
Contributor

@dms1981 dms1981 commented Sep 18, 2023

This PR creates an ACM certificate and necessary validation records that corresponds to the name of the DNS record used for the current DIH network LB.

This will allow the use of a custom domain name for the redshift cluster.

@dms1981 dms1981 requested review from a team as code owners September 18, 2023 14:34
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 18, 2023
@dms1981 dms1981 changed the title added content for internal ACM certificate Create internal ACM certificate for DIH Sep 18, 2023
@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 18, 2023 14:35 — with GitHub Actions Failure
@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 18, 2023 14:36 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.3718ms
  parsing              213.482553ms
  adaptation           152.1µs
  checks               15.130425ms
  total                230.136878ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     261
  files read           67

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 102, Failed checks: 16, Skipped checks: 15

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_harkemsadmin_ssl_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_domain_name"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_user"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_1"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_2"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os_version"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/nomis-data-hub/main.tf line 86:
  86: resource "random_password" "random_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

gwionap
gwionap previously approved these changes Sep 18, 2023
@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 18, 2023 14:40 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.313393ms
  parsing              249.238261ms
  adaptation           146.499µs
  checks               7.20095ms
  total                257.899103ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     261
  files read           67

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 102, Failed checks: 16, Skipped checks: 15

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os_version"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_1"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_2"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_domain_name"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_harkemsadmin_ssl_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_user"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/nomis-data-hub/main.tf line 86:
  86: resource "random_password" "random_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 18, 2023 14:53 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             2.067907ms
  parsing              294.405226ms
  adaptation           190.701µs
  checks               10.823849ms
  total                307.487683ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     261
  files read           67

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 102, Failed checks: 16, Skipped checks: 15

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_1"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_2"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_harkemsadmin_ssl_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os_version"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_user"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_domain_name"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/nomis-data-hub/main.tf line 86:
  86: resource "random_password" "random_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 18, 2023 17:44 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.584325ms
  parsing              233.58385ms
  adaptation           160.403µs
  checks               8.556041ms
  total                243.884619ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     261
  files read           67

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 102, Failed checks: 16, Skipped checks: 15

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os_version"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_user"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_harkemsadmin_ssl_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_2"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_1"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_domain_name"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/nomis-data-hub/main.tf line 86:
  86: resource "random_password" "random_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 18, 2023 19:08 — with GitHub Actions Failure
@dms1981 dms1981 changed the title Create internal ACM certificate for DIH Create ACM certificate for DIH Sep 18, 2023
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.643831ms
  parsing              240.761611ms
  adaptation           171.603µs
  checks               8.246817ms
  total                250.823862ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     261
  files read           67

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 102, Failed checks: 16, Skipped checks: 15

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os_version"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_user"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_2"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_domain_name"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_harkemsadmin_ssl_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_1"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/nomis-data-hub/main.tf line 86:
  86: resource "random_password" "random_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 18, 2023 19:10 — with GitHub Actions Failure
@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 19, 2023 07:14 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.760838ms
  parsing              313.616198ms
  adaptation           171.803µs
  checks               11.414629ms
  total                326.963468ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     261
  files read           67

  results
  ──────────────────────────────────────────
  passed               4
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 102, Failed checks: 16, Skipped checks: 15

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_user"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_2"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_port_1"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_ems_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_b"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_host_os_version"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_admin_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_harkemsadmin_ssl_pass"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_app_host_a"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndh_secrets["ndh_domain_name"]
	File: /main.tf:91-101

		91  | resource "aws_ssm_parameter" "ndh_secrets" {
		92  |   for_each = toset(local.ndh_secrets)
		93  |   name     = each.value
		94  |   type     = "SecureString"
		95  |   value    = random_password.random_value.result
		96  |   lifecycle {
		97  |     ignore_changes = [
		98  |       value,
		99  |     ]
		100 |   }
		101 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:43-83
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/nomis-data-hub/main.tf line 86:
  86: resource "random_password" "random_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

@dms1981 dms1981 had a problem deploying to data-and-insights-wepi-development September 19, 2023 11:32 — with GitHub Actions Failure
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:
terraform/modules/baseline

*****************************

Running TFSEC in terraform/modules/baseline
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             708.004µs
  parsing              44.647342ms
  adaptation           85.401µs
  checks               7.872642ms
  total                53.313389ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     109
  files read           23

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/modules/baseline

*****************************

Running Checkov in terraform/modules/baseline
2023-09-19 11:34:01,622 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-19 11:34:01,622 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-19 11:34:01,622 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-19 11:34:01,623 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-19 11:34:01,623 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 83, Failed checks: 5, Skipped checks: 15

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.lb_listener.aws_lb_listener.this
	File: /../lb_listener/main.tf:1-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/modules/baseline

*****************************

Running tflint in terraform/modules/baseline
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline/variables.tf line 476:
 476: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output
*****************************

TFSEC will check the following folders:
terraform/modules/baseline

*****************************

Running TFSEC in terraform/modules/baseline
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             666.11µs
  parsing              36.856428ms
  adaptation           92.702µs
  checks               17.324895ms
  total                54.940135ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     109
  files read           23

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/modules/baseline

*****************************

Running Checkov in terraform/modules/baseline
2023-09-19 12:45:46,308 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer.git?ref=v3.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-19 12:45:46,309 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-19 12:45:46,309 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.1.1:None (for external modules, the --download-external-modules flag is required)
2023-09-19 12:45:46,309 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-19 12:45:46,309 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 83, Failed checks: 5, Skipped checks: 15

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.route53
	File: /route53.tf:156-167
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.db_instance.aws_db_instance.this
	File: /../rds_instance/main.tf:5-58
	Calling File: /rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.lb_listener.aws_lb_listener.this
	File: /../lb_listener/main.tf:1-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-43.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/modules/baseline

*****************************

Running tflint in terraform/modules/baseline
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline/variables.tf line 476:
 476: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

@dms1981
Copy link
Contributor Author

dms1981 commented Sep 21, 2023

Further investigation reveals that there's a limit to custom domain sizes for Redshift Clusters that make a custom certificate with a long name an inappropriate approach.

@dms1981 dms1981 closed this Sep 21, 2023
@dms1981 dms1981 deleted the feature/dih-cluster-certificate branch September 21, 2023 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants