Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer from 3.1.0 to 3.1.2 in /terraform/environments/example #3438

Merged
merged 1 commit into from
Sep 29, 2023
Merged

Bump lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer from 3.1.0 to 3.1.2 in /terraform/environments/example #3438

merged 1 commit into from
Sep 29, 2023

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 21, 2023
edited
Loading

Bumps lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer from 3.1.0 to 3.1.2.

Release notes

Sourced from lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer's releases.

v3.1.2

What's Changed

Full Changelog: ministryofjustice/modernisation-platform-terraform-loadbalancer@v3.1.1...v3.1.2

v3.1.1

Create Athena query under the correct workgroup

What's Changed

New Contributors

Full Changelog: ministryofjustice/modernisation-platform-terraform-loadbalancer@v3.1.0...v3.1.1

Commits
  • 4f7370d Merge pull request #228 from ministryofjustice/dependabot/github_actions/acti...
  • 381a088 Merge pull request #243 from ministryofjustice/DSOS-2150-loadbalancer-logging...
  • bd9247b ensure table is created in correct database
  • 6d6a27d fix location of S3 logs for athena query
  • 44b8f3d Merge pull request #242 from ministryofjustice/dependabot/github_actions/brid...
  • 6269298 Merge pull request #241 from ministryofjustice/DSOS-2150-loadbalancer-logging...
  • 3c69224 Bump bridgecrewio/checkov-action from 12.2502.0 to 12.2503.0
  • b3eb56f fix athena query
  • 3684f80 Merge pull request #240 from ministryofjustice/dependabot/github_actions/brid...
  • 676cbb2 Bump bridgecrewio/checkov-action from 12.2494.0 to 12.2502.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot requested a review from a team as a code owner September 21, 2023 00:34
@dependabot dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Sep 21, 2023
@dependabot dependabot bot mentioned this pull request Sep 21, 2023
Closed
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 21, 2023
@github-actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/delius-iaps

*****************************

Running TFSEC in terraform/environments/delius-iaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  cloudwatch-alarms.tf:2-4
────────────────────────────────────────────────────────────────────────────────
    2    resource "aws_sns_topic" "iaps_alerting" {
    3      name = "${local.application_name}-alerting"
    4    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #2 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:40
────────────────────────────────────────────────────────────────────────────────
   40      deletion_protection      = local.is-production ? true : false
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #3 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ad.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   47    resource "aws_cloudwatch_log_group" "active_directory" {
   48      name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
   49      retention_in_days = 14
   50    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Results #4-11 LOW Log group is not encrypted. (8 similar results)
────────────────────────────────────────────────────────────────────────────────
  ec2-iaps-server.tf:273-282
────────────────────────────────────────────────────────────────────────────────
  273    resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
  274      for_each          = toset(local.cloudwatch_agent_log_group_names)
  275      name              = "/iaps/${each.key}"
  276      retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
  277      tags = merge(
  278        local.ec2_tags,
  279        {
  280          "Name" = "iaps/${each.key}"
  281      })
  282    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["iminterface/imiapsif.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["system-events"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/xmltransfer.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["access.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["amazon-cloudwatch-agent.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["application-events"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["error.log"])
  - ec2-iaps-server.tf:273-282 (aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/daysummary.log"])
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.021624ms
  parsing              2.170674069s
  adaptation           1.040527ms
  checks               39.365224ms
  total                2.212101444s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     173
  files read           29

  results
  ──────────────────────────────────────────
  passed               41
  ignored              3
  critical             0
  high                 1
  medium               1
  low                  9

  41 passed, 3 ignored, 11 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/delius-iaps

*****************************

Running Checkov in terraform/environments/delius-iaps
2023-09-21 00:38:11,984 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-21 00:38:11,984 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2023-09-21 00:38:11,985 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 186, Failed checks: 41, Skipped checks: 7

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /ad.tf:47-50

		47 | resource "aws_cloudwatch_log_group" "active_directory" {
		48 |   name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
		49 |   retention_in_days = 14
		50 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /ad.tf:47-50
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		47 | resource "aws_cloudwatch_log_group" "active_directory" {
		48 |   name              = "/aws/directoryservice/${aws_directory_service_directory.active_directory.id}"
		49 |   retention_in_days = 14
		50 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.iaps_alerting
	File: /cloudwatch-alarms.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html

		2 | resource "aws_sns_topic" "iaps_alerting" {
		3 |   name = "${local.application_name}-alerting"
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch-alarms.tf:198-205

		198 | module "pagerduty_core_alerts" {
		199 |   depends_on = [
		200 |     aws_sns_topic.iaps_alerting
		201 |   ]
		202 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		203 |   sns_topics                = [aws_sns_topic.iaps_alerting.name]
		204 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.integration_key_lookup]
		205 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["application-events"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["access.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["error.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["system-events"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["amazon-cloudwatch-agent.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["iminterface/imiapsif.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/daysummary.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_agent_log_groups["ndinterface/xmltransfer.log"]
	File: /ec2-iaps-server.tf:273-282
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		273 | resource "aws_cloudwatch_log_group" "cloudwatch_agent_log_groups" {
		274 |   for_each          = toset(local.cloudwatch_agent_log_group_names)
		275 |   name              = "/iaps/${each.key}"
		276 |   retention_in_days = local.application_data.accounts[local.environment].cloudwatch_agent_log_group_retention_period
		277 |   tags = merge(
		278 |     local.ec2_tags,
		279 |     {
		280 |       "Name" = "iaps/${each.key}"
		281 |   })
		282 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ec2_iaps_server
	File: /ec2-iaps-server.tf:241-268

		241 | module "ec2_iaps_server" {
		242 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group?ref=v2.0.0"
		243 | 
		244 |   providers = {
		245 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		246 |   }
		247 | 
		248 |   name                          = local.application_data.ec2_iaps_instance_label
		249 |   ami_name                      = local.iaps_server.ami_name
		250 |   ami_owner                     = local.application_data.ec2_iaps_instance_ami_owner
		251 |   instance                      = local.iaps_server.instance
		252 |   user_data_raw                 = local.iaps_server.user_data_raw
		253 |   ebs_volumes_copy_all_from_ami = local.iaps_server.ebs_volumes_copy_all_from_ami
		254 |   ebs_volume_config             = {}
		255 |   ebs_volumes                   = local.iaps_server.ebs_volumes
		256 |   ssm_parameters                = null
		257 |   autoscaling_group             = local.iaps_server.autoscaling_group
		258 |   autoscaling_schedules         = {}
		259 | 
		260 |   instance_profile_policies = local.iaps_server.iam_policies
		261 |   application_name          = local.application_name
		262 |   region                    = data.aws_region.current.name
		263 |   subnet_ids                = data.aws_subnets.shared-private.ids
		264 |   tags                      = local.ec2_tags
		265 |   account_ids_lookup        = local.environment_management.account_ids
		266 | 
		267 |   depends_on = [aws_kms_grant.image-builder-shared-hmpps-ebs-cmk-grant]
		268 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ssm_least_privilege_policy
	File: /ec2-iaps-server.tf:186-223

		186 | data "aws_iam_policy_document" "ssm_least_privilege_policy" {
		187 |   statement {
		188 |     sid    = "CustomSsmPolicy"
		189 |     effect = "Allow"
		190 |     actions = [
		191 |       "ssm:DescribeAssociation",
		192 |       "ssm:DescribeDocument",
		193 |       "ssm:GetDeployablePatchSnapshotForInstance",
		194 |       "ssm:GetDocument",
		195 |       "ssm:GetManifest",
		196 |       "ssm:GetParameter",
		197 |       "ssm:GetParameters",
		198 |       "ssm:ListAssociations",
		199 |       "ssm:ListInstanceAssociations",
		200 |       "ssm:PutInventory",
		201 |       "ssm:PutComplianceItems",
		202 |       "ssm:PutConfigurePackageResult",
		203 |       "ssm:UpdateAssociationStatus",
		204 |       "ssm:UpdateInstanceAssociationStatus",
		205 |       "ssm:UpdateInstanceInformation",
		206 |       "ssmmessages:CreateControlChannel",
		207 |       "ssmmessages:CreateDataChannel",
		208 |       "ssmmessages:OpenControlChannel",
		209 |       "ssmmessages:OpenDataChannel",
		210 |       "ec2messages:AcknowledgeMessage",
		211 |       "ec2messages:DeleteMessage",
		212 |       "ec2messages:FailMessage",
		213 |       "ec2messages:GetEndpoint",
		214 |       "ec2messages:GetMessages",
		215 |       "ec2messages:SendReply"
		216 |     ]
		217 |     # skipping these as policy is a scoped down version of Amazon provided AmazonSSMManagedInstanceCore managed policy.  Permissions required for SSM function
		218 | 
		219 |     #checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
		220 |     #checkov:skip=CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
		221 |     resources = ["*"] #tfsec:ignore:aws-iam-no-policy-wildcards
		222 |   }
		223 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ci_secrets_rotator
	File: /iam.tf:39-64

		39 | data "aws_iam_policy_document" "ci_secrets_rotator" {
		40 |   statement {
		41 |     sid    = "RotateSecrets"
		42 |     effect = "Allow"
		43 |     actions = [
		44 |       "secretsmanager:RotateSecret",
		45 |       "secretsmanager:DescribeSecret",
		46 |       "secretsmanager:PutSecretValue",
		47 |       "secretsmanager:UpdateSecretVersionStage",
		48 |     ]
		49 |     resources = [
		50 |       local.iaps_ds_admin_secret_arn
		51 |     ]
		52 |   }
		53 |   statement {
		54 |     sid    = "ResetDSUserPassword"
		55 |     effect = "Allow"
		56 |     actions = [
		57 |       "ds:ResetUserPassword",
		58 |       "ds:DescribeDirectories"
		59 |     ]
		60 |     resources = [
		61 |       "*"
		62 |     ]
		63 |   }
		64 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ci_secrets_rotator
	File: /iam.tf:39-64
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		39 | data "aws_iam_policy_document" "ci_secrets_rotator" {
		40 |   statement {
		41 |     sid    = "RotateSecrets"
		42 |     effect = "Allow"
		43 |     actions = [
		44 |       "secretsmanager:RotateSecret",
		45 |       "secretsmanager:DescribeSecret",
		46 |       "secretsmanager:PutSecretValue",
		47 |       "secretsmanager:UpdateSecretVersionStage",
		48 |     ]
		49 |     resources = [
		50 |       local.iaps_ds_admin_secret_arn
		51 |     ]
		52 |   }
		53 |   statement {
		54 |     sid    = "ResetDSUserPassword"
		55 |     effect = "Allow"
		56 |     actions = [
		57 |       "ds:ResetUserPassword",
		58 |       "ds:DescribeDirectories"
		59 |     ]
		60 |     resources = [
		61 |       "*"
		62 |     ]
		63 |   }
		64 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.snapshot_sharer
	File: /iam.tf:117-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		117 | data "aws_iam_policy_document" "snapshot_sharer" {
		118 |   statement {
		119 |     sid    = "CopyAndShareSnapshots"
		120 |     effect = "Allow"
		121 |     actions = [
		122 |       "rds:CopyDBSnapshot",
		123 |       "rds:DescribeDBSnapshots",
		124 |       "rds:ModifyDBSnapshotAttribute"
		125 |     ]
		126 |     resources = [
		127 |       local.iaps_rds_snapshot_arn_pattern_preprod,
		128 |       local.iaps_rds_snapshot_arn_pattern_prod,
		129 |       aws_db_instance.iaps.arn
		130 |     ]
		131 |   }
		132 | 
		133 |   statement {
		134 |     sid    = "AllowSSMUsage"
		135 |     effect = "Allow"
		136 |     actions = [
		137 |       "ssm:PutParameter",
		138 |       "ssm:DescribeParameters"
		139 |     ]
		140 |     resources = [
		141 |       aws_ssm_parameter.iaps_snapshot_data_refresh_id.arn
		142 |     ]
		143 |   }
		144 | 
		145 |   statement {
		146 |     sid    = "AllowKMSUsage"
		147 |     effect = "Allow"
		148 |     actions = [
		149 |       "kms:DescribeKey",
		150 |       "kms:Decrypt",
		151 |       "kms:GenerateDataKey",
		152 |       "kms:CreateGrant"
		153 |     ]
		154 |     resources = [
		155 |       "*"
		156 |     ]
		157 |   }
		158 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.iaps
	File: /rds.tf:1-46

		1  | resource "aws_db_instance" "iaps" {
		2  |   engine         = "oracle-ee"
		3  |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		4  |   license_model  = "bring-your-own-license"
		5  |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		6  |   db_name        = "IAPS"
		7  |   identifier     = "iaps"
		8  | 
		9  |   username                    = local.application_data.accounts[local.environment].db_user
		10 |   manage_master_user_password = true
		11 |   snapshot_identifier         = length(data.aws_ssm_parameter.iaps_snapshot_data_refresh_id.value) > 0 ? data.aws_ssm_parameter.iaps_snapshot_data_refresh_id.value : null
		12 |   db_subnet_group_name        = aws_db_subnet_group.iaps.id
		13 |   vpc_security_group_ids      = [aws_security_group.iaps_db.id]
		14 | 
		15 |   # tflint-ignore: aws_db_instance_default_parameter_group
		16 |   parameter_group_name        = "default.oracle-ee-19"
		17 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		18 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		19 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		20 |   apply_immediately           = local.application_data.accounts[local.environment].db_apply_immediately
		21 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		22 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		23 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		24 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		25 |   backup_retention_period     = local.application_data.accounts[local.environment].db_backup_retention_period
		26 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		27 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		28 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		29 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		30 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		31 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		32 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		33 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		34 |   kms_key_id                      = data.aws_kms_key.rds_shared.arn
		35 |   storage_encrypted               = true
		36 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		37 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		38 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		39 | 
		40 |   deletion_protection      = local.is-production ? true : false
		41 |   delete_automated_backups = false
		42 | 
		43 |   tags = merge(local.tags,
		44 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		45 |   )
		46 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_snapshot_data_refresh_id
	File: /rds.tf:48-61

		48 | resource "aws_ssm_parameter" "iaps_snapshot_data_refresh_id" {
		49 |   name        = "/iaps/snapshot_id"
		50 |   description = "The ID of the RDS snapshot used for the IAPS database data refresh"
		51 |   type        = "String"
		52 |   value       = try(local.application_data.accounts[local.environment].db_snapshot_identifier, "")
		53 | 
		54 |   tags = {
		55 |     environment = "production"
		56 |   }
		57 | 
		58 |   lifecycle {
		59 |     ignore_changes = [value]
		60 |   }
		61 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.allow_db_in
	File: /rds.tf:82-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		82 | resource "aws_vpc_security_group_ingress_rule" "allow_db_in" {
		83 |   security_group_id = aws_security_group.iaps_db.id
		84 | 
		85 |   referenced_security_group_id = aws_security_group.iaps.id
		86 |   ip_protocol                  = "tcp"
		87 |   from_port                    = 1521
		88 |   to_port                      = 1521
		89 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-log-archive-bucket
	File: /s3.tf:3-53

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-user
	File: /ssm.tf:2-13

		2  | resource "aws_ssm_parameter" "im-interface-oracle-user" {
		3  |   name      = "/IMInterface/IAPSOracle/user"
		4  |   type      = "String"
		5  |   value     = "dev-placeholder-iapsoracle-user"
		6  |   overwrite = true
		7  | 
		8  |   lifecycle {
		9  |     ignore_changes = [
		10 |       value
		11 |     ]
		12 |   }
		13 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-password
	File: /ssm.tf:15-26

		15 | resource "aws_ssm_parameter" "im-interface-oracle-password" {
		16 |   name      = "/IMInterface/IAPSOracle/password"
		17 |   type      = "SecureString"
		18 |   value     = "dev-placeholder-iapsoracle-password"
		19 |   overwrite = true
		20 | 
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-dsn
	File: /ssm.tf:28-39

		28 | resource "aws_ssm_parameter" "im-interface-soap-odbc-dsn" {
		29 |   name      = "/IMInterface/SOAPServer/ODBC/dsn"
		30 |   type      = "String"
		31 |   value     = "dev-placeholder-soapserver-odbc-dsn"
		32 |   overwrite = true
		33 | 
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-server
	File: /ssm.tf:41-52

		41 | resource "aws_ssm_parameter" "im-interface-soap-odbc-server" {
		42 |   name      = "/IMInterface/SOAPServer/ODBC/server"
		43 |   type      = "String"
		44 |   value     = "dev-placeholder-soapserver-odbc-server"
		45 |   overwrite = true
		46 | 
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-database
	File: /ssm.tf:54-65

		54 | resource "aws_ssm_parameter" "im-interface-soap-odbc-database" {
		55 |   name      = "/IMInterface/SOAPServer/ODBC/database"
		56 |   type      = "String"
		57 |   value     = "dev-placeholder-soapserver-odbc-database"
		58 |   overwrite = true
		59 | 
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-uid
	File: /ssm.tf:67-78

		67 | resource "aws_ssm_parameter" "im-interface-soap-odbc-uid" {
		68 |   name      = "/IMInterface/SOAPServer/ODBC/uid"
		69 |   type      = "String"
		70 |   value     = "dev-placeholder-soapserver-odbc-uid"
		71 |   overwrite = true
		72 | 
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-pwd
	File: /ssm.tf:80-91

		80 | resource "aws_ssm_parameter" "im-interface-soap-odbc-pwd" {
		81 |   name      = "/IMInterface/SOAPServer/ODBC/pwd"
		82 |   type      = "SecureString"
		83 |   value     = "dev-placeholder-soapserver-odbc-pwd"
		84 |   overwrite = true
		85 | 
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ndelius-interface-ssm-param
	File: /ssm.tf:93-105

		93  | resource "aws_ssm_parameter" "ndelius-interface-ssm-param" {
		94  |   for_each  = local.ndelius_interface_params.parameter
		95  |   name      = each.value.name
		96  |   type      = each.value.type
		97  |   value     = each.value.value
		98  |   overwrite = each.value.overwrite
		99  | 
		100 |   lifecycle {
		101 |     ignore_changes = [
		102 |       value
		103 |     ]
		104 |   }
		105 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.iaps_snapshot_data_refresh_id
	File: /rds.tf:48-61
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		48 | resource "aws_ssm_parameter" "iaps_snapshot_data_refresh_id" {
		49 |   name        = "/iaps/snapshot_id"
		50 |   description = "The ID of the RDS snapshot used for the IAPS database data refresh"
		51 |   type        = "String"
		52 |   value       = try(local.application_data.accounts[local.environment].db_snapshot_identifier, "")
		53 | 
		54 |   tags = {
		55 |     environment = "production"
		56 |   }
		57 | 
		58 |   lifecycle {
		59 |     ignore_changes = [value]
		60 |   }
		61 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-oracle-user
	File: /ssm.tf:2-13
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		2  | resource "aws_ssm_parameter" "im-interface-oracle-user" {
		3  |   name      = "/IMInterface/IAPSOracle/user"
		4  |   type      = "String"
		5  |   value     = "dev-placeholder-iapsoracle-user"
		6  |   overwrite = true
		7  | 
		8  |   lifecycle {
		9  |     ignore_changes = [
		10 |       value
		11 |     ]
		12 |   }
		13 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-dsn
	File: /ssm.tf:28-39
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		28 | resource "aws_ssm_parameter" "im-interface-soap-odbc-dsn" {
		29 |   name      = "/IMInterface/SOAPServer/ODBC/dsn"
		30 |   type      = "String"
		31 |   value     = "dev-placeholder-soapserver-odbc-dsn"
		32 |   overwrite = true
		33 | 
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-server
	File: /ssm.tf:41-52
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		41 | resource "aws_ssm_parameter" "im-interface-soap-odbc-server" {
		42 |   name      = "/IMInterface/SOAPServer/ODBC/server"
		43 |   type      = "String"
		44 |   value     = "dev-placeholder-soapserver-odbc-server"
		45 |   overwrite = true
		46 | 
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-database
	File: /ssm.tf:54-65
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		54 | resource "aws_ssm_parameter" "im-interface-soap-odbc-database" {
		55 |   name      = "/IMInterface/SOAPServer/ODBC/database"
		56 |   type      = "String"
		57 |   value     = "dev-placeholder-soapserver-odbc-database"
		58 |   overwrite = true
		59 | 
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.im-interface-soap-odbc-uid
	File: /ssm.tf:67-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		67 | resource "aws_ssm_parameter" "im-interface-soap-odbc-uid" {
		68 |   name      = "/IMInterface/SOAPServer/ODBC/uid"
		69 |   type      = "String"
		70 |   value     = "dev-placeholder-soapserver-odbc-uid"
		71 |   overwrite = true
		72 | 
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.ndelius-interface-ssm-param
	File: /ssm.tf:93-105
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		93  | resource "aws_ssm_parameter" "ndelius-interface-ssm-param" {
		94  |   for_each  = local.ndelius_interface_params.parameter
		95  |   name      = each.value.name
		96  |   type      = each.value.type
		97  |   value     = each.value.value
		98  |   overwrite = each.value.overwrite
		99  | 
		100 |   lifecycle {
		101 |     ignore_changes = [
		102 |       value
		103 |     ]
		104 |   }
		105 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.iaps
	File: /rds.tf:1-46

		1  | resource "aws_db_instance" "iaps" {
		2  |   engine         = "oracle-ee"
		3  |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		4  |   license_model  = "bring-your-own-license"
		5  |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		6  |   db_name        = "IAPS"
		7  |   identifier     = "iaps"
		8  | 
		9  |   username                    = local.application_data.accounts[local.environment].db_user
		10 |   manage_master_user_password = true
		11 |   snapshot_identifier         = length(data.aws_ssm_parameter.iaps_snapshot_data_refresh_id.value) > 0 ? data.aws_ssm_parameter.iaps_snapshot_data_refresh_id.value : null
		12 |   db_subnet_group_name        = aws_db_subnet_group.iaps.id
		13 |   vpc_security_group_ids      = [aws_security_group.iaps_db.id]
		14 | 
		15 |   # tflint-ignore: aws_db_instance_default_parameter_group
		16 |   parameter_group_name        = "default.oracle-ee-19"
		17 |   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
		18 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		19 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		20 |   apply_immediately           = local.application_data.accounts[local.environment].db_apply_immediately
		21 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		22 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		23 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		24 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		25 |   backup_retention_period     = local.application_data.accounts[local.environment].db_backup_retention_period
		26 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		27 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		28 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		29 |   multi_az = local.application_data.accounts[local.environment].db_multi_az
		30 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		31 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		32 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		33 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		34 |   kms_key_id                      = data.aws_kms_key.rds_shared.arn
		35 |   storage_encrypted               = true
		36 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		37 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		38 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		39 | 
		40 |   deletion_protection      = local.is-production ? true : false
		41 |   delete_automated_backups = false
		42 | 
		43 |   tags = merge(local.tags,
		44 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		45 |   )
		46 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.iaps
	File: /ec2-iaps-server.tf:101-106
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		101 | resource "aws_security_group" "iaps" {
		102 |   name        = lower(format("%s-%s", local.application_name, local.environment))
		103 |   description = "Controls access to IAPS EC2 instance"
		104 |   vpc_id      = data.aws_vpc.shared.id
		105 |   tags        = local.ec2_tags
		106 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:13-23

		13 | resource "aws_secretsmanager_secret" "ad_password" {
		14 |   #checkov:skip=CKV_AWS_149
		15 |   name                    = "${var.networking[0].application}-ad-password"
		16 |   recovery_window_in_days = 0
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${var.networking[0].application}-ad-password"
		21 |     },
		22 |   )
		23 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-iaps

*****************************

Running tflint in terraform/environments/delius-iaps
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/delius-iaps/secrets.tf line 4:
   4: resource "random_password" "ad_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

@ASTRobinson
Copy link
Contributor

@dependabot rebase

@dependabot dependabot bot force-pushed the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.0-3.1.2 branch from 08ef608 to e2052fc Compare September 29, 2023 08:49
@github-actions
Copy link
Contributor

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Sep 29, 2023

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.0-3.1.2 branch September 29, 2023 08:54
@ASTRobinson ASTRobinson restored the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.0-3.1.2 branch September 29, 2023 08:55
@ASTRobinson ASTRobinson reopened this Sep 29, 2023
@dependabot
Bump lb_access_logs_enabled::modernisation-platform-terraform-loadbal…
5ba2c5d 
…ancer

Bumps [lb_access_logs_enabled::modernisation-platform-terraform-loadbalancer](https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer) from 3.1.0 to 3.1.2.
- [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer/releases)
- [Commits](ministryofjustice/modernisation-platform-terraform-loadbalancer@v3.1.0...v3.1.2)

---
updated-dependencies:
- dependency-name: lb_access_logs_enabled::github::ministryofjustice/modernisation-platform-terraform-loadbalancer::v3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.0-3.1.2 branch from e2052fc to 5ba2c5d Compare September 29, 2023 08:56
@dependabot dependabot bot deleted the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.0-3.1.2 branch September 29, 2023 08:59
@ASTRobinson ASTRobinson restored the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.0-3.1.2 branch September 29, 2023 09:00
@ASTRobinson ASTRobinson reopened this Sep 29, 2023
@ASTRobinson ASTRobinson temporarily deployed to example-development September 29, 2023 09:01 — with GitHub Actions Inactive
@ASTRobinson ASTRobinson merged commit ebb215e into main Sep 29, 2023
15 of 18 checks passed
@ASTRobinson ASTRobinson deleted the dependabot/terraform/terraform/environments/example/lb_access_logs_enabled--github--ministryofjustice/modernisation-platform-terraform-loadbalancer--v3.1.0-3.1.2 branch September 29, 2023 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ASTRobinson ASTRobinson ASTRobinson approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update terraform Pull requests that update Terraform code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ASTRobinson