Performance hub - s3 landing bucket for AP #3650

jemnery · 2023-10-13T06:28:49Z

Part of migrating and closing a legacy AWS account for performance hub.

github-actions · 2023-10-13T06:31:46Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:185
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  180      description       = "Allow all outbound traffic to any IPv4 address on 443"
  181      type              = "egress"
  182      from_port         = 443
  183      to_port           = 443
  184      protocol          = "tcp"
  185  [   cidr_blocks       = ["0.0.0.0/0"]
  186      security_group_id = aws_security_group.weblogic_service.id
  187    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:69
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_instance" "db_ec2_primary_instance" {
   ..  
   69  [     http_tokens   = "optional" ("optional")
   ..  
   94    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Results #16-19 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:27-36
────────────────────────────────────────────────────────────────────────────────
   24    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   25      statement {
   26        effect = "Allow"
   27  ┌     actions = [
   28  │       "kms:Encrypt",
   29  │       "kms:Decrypt",
   30  │       "kms:ReEncrypt*",
   31  │       "kms:GenerateDataKey*",
   32  └       "kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_iam.tf:24-41 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:44-46
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44  ┌     actions = [
   45  │       "s3:*"
   46  └     ]
   47        resources = [
   48          "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '8129c935-fd30-486a-b3e3-85ffd9006f55' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44        actions = [
   45          "s3:*"
   46        ]
   47  ┌     resources = [
   48  └       "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #24-26 HIGH IAM policy document uses wildcarded action 'backup:*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:51-55
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   51  ┌     actions = [
   52  │       "backup:*",
   53  │       "datasync:*",
   54  │       "elasticfilesystem:*",
   55  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_datasync.tf:48-67 (data.aws_iam_policy_document.ldap_datasync_role_access) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'backup:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:56
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   56  [     resources = ["*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #28 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:61
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   61  [     actions = ["s3:*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #29 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '883cb70c-d77e-4776-8cd7-c6f02fc5ba94' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:62-65
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   62  ┌     resources = [
   63  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
   64  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
   65  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #30 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #31-32 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173  │       "elasticloadbalancing:Describe*",
  174  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #33 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210  │       "s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #34 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #35-36 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170
   via ldap_datasync.tf:96-110 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
  167    resource "aws_s3_bucket_versioning" "default" {
  168      bucket = aws_s3_bucket.default.id
  169      versioning_configuration {
  170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  171      }
  172    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:96-110 (module.s3_bucket_ldap_data_refresh)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-38 (module.s3_bucket_oracledb_backups)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #37 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #38 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #39 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #40 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 5
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #41 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:55-62
────────────────────────────────────────────────────────────────────────────────
   55    resource "aws_security_group_rule" "efs_ingress" {
   56      type                     = "ingress"
   57      from_port                = 2049
   58      to_port                  = 2049
   59      protocol                 = "tcp"
   60      source_security_group_id = aws_security_group.ldap.id
   61      security_group_id        = aws_security_group.ldap_efs.id
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #42 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:64-71
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "efs_egress" {
   65      type              = "egress"
   66      from_port         = 0
   67      to_port           = 0
   68      protocol          = "all"
   69      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   70      security_group_id = aws_security_group.ldap_efs.id
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #43 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:199-203
────────────────────────────────────────────────────────────────────────────────
  199    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  200      name              = var.weblogic_config.frontend_fully_qualified_name
  201      retention_in_days = 7
  202      tags              = local.tags
  203    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             2.452135ms
  parsing              2.855236061s
  adaptation           22.165896ms
  checks               11.815258ms
  total                2.89166935s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    14
  blocks processed     649
  files read           74

  results
  ──────────────────────────────────────────
  passed               223
  ignored              20
  critical             2
  high                 32
  medium               2
  low                  7

  223 passed, 20 ignored, 43 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-10-13 06:31:42,166 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:31:42,166 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:31:42,166 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:31:42,166 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 643, Failed checks: 77, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_ec2_primary_instance
	File: /db_ec2.tf:54-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		54 | resource "aws_instance" "db_ec2_primary_instance" {
		55 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		56 |   instance_type               = var.db_config.instance.instance_type
		57 |   ami                         = data.aws_ami.oracle_db_ami.id
		58 |   vpc_security_group_ids      = [aws_security_group.db_ec2_instance_sg.id]
		59 |   subnet_id                   = var.account_config.data_subnet_a_id
		60 |   iam_instance_profile        = aws_iam_instance_profile.db_ec2_instanceprofile.name
		61 |   associate_public_ip_address = false
		62 |   monitoring                  = var.db_config.instance.monitoring
		63 |   ebs_optimized               = true
		64 |   key_name                    = aws_key_pair.environment_ec2_user_key_pair.key_name
		65 |   user_data_base64            = var.db_config.user_data_raw
		66 | 
		67 |   metadata_options {
		68 |     http_endpoint = "enabled"
		69 |     http_tokens   = "optional"
		70 |   }
		71 | 
		72 |   root_block_device {
		73 |     volume_type = var.db_config.ebs_volumes.root_volume.volume_type
		74 |     volume_size = var.db_config.ebs_volumes.root_volume.volume_size
		75 |     iops        = var.db_config.ebs_volumes.iops
		76 |     throughput  = var.db_config.ebs_volumes.throughput
		77 |     encrypted   = true
		78 |     kms_key_id  = var.db_config.ebs_volumes.kms_key_id
		79 |     tags        = local.tags
		80 |   }
		81 | 
		82 |   dynamic "ephemeral_block_device" {
		83 |     for_each = { for k, v in var.db_config.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		84 |     content {
		85 |       device_name = ephemeral_block_device.key
		86 |       no_device   = true
		87 |     }
		88 |   }
		89 |   tags = merge(local.tags,
		90 |     { Name = lower(format("%s-%s-1", var.env_name, var.db_config.name)) },
		91 |     { server-type = "delius_core_db" },
		92 |     { database = "delius_primarydb" }
		93 |   )
		94 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /db_s3.tf:1-38
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /ldap_datasync.tf:96-110
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		96  | module "s3_bucket_ldap_data_refresh" {
		97  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		98  |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		99  |   versioning_enabled  = false
		100 |   ownership_controls  = "BucketOwnerEnforced"
		101 |   replication_enabled = false
		102 |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		103 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		104 | 
		105 |   providers = {
		106 |     aws.bucket-replication = aws.bucket-replication
		107 |   }
		108 | 
		109 |   tags = local.tags
		110 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:55-62
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		55 | resource "aws_security_group_rule" "efs_ingress" {
		56 |   type                     = "ingress"
		57 |   from_port                = 2049
		58 |   to_port                  = 2049
		59 |   protocol                 = "tcp"
		60 |   source_security_group_id = aws_security_group.ldap.id
		61 |   security_group_id        = aws_security_group.ldap_efs.id
		62 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:64-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group_rule" "efs_egress" {
		65 |   type              = "egress"
		66 |   from_port         = 0
		67 |   to_port           = 0
		68 |   protocol          = "all"
		69 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		70 |   security_group_id = aws_security_group.ldap_efs.id
		71 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:39-51
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "delius_core_frontend" {
		40 |   # checkov:skip=CKV_AWS_91
		41 |   # checkov:skip=CKV2_AWS_28
		42 | 
		43 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		44 |   internal           = false
		45 |   load_balancer_type = "application"
		46 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		47 |   subnets            = var.account_config.public_subnet_ids
		48 | 
		49 |   enable_deletion_protection = false
		50 |   drop_invalid_header_fields = true
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.26.95"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.delius_db_security_group
	File: /db_service.tf:80-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		80 | resource "aws_security_group" "delius_db_security_group" {
		81 |   name        = format("%s - Delius Core DB", var.env_name)
		82 |   description = "Rules for the delius testing db ecs service"
		83 |   vpc_id      = var.account_config.shared_vpc_id
		84 |   tags        = local.tags
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic_service
	File: /weblogic_service.tf:114-122
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		114 | resource "aws_security_group" "weblogic_service" {
		115 |   name        = format("%s - Delius Core Weblogic service", var.env_name)
		116 |   description = "Security group for the ${var.env_name} weblogic service"
		117 |   vpc_id      = var.account_info.vpc_id
		118 |   tags        = local.tags
		119 |   lifecycle {
		120 |     create_before_destroy = true
		121 |   }
		122 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/db_s3.tf line 48:
  48:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 63:
  63:       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 76:
  76:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

github-actions · 2023-10-13T06:34:20Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:185
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  180      description       = "Allow all outbound traffic to any IPv4 address on 443"
  181      type              = "egress"
  182      from_port         = 443
  183      to_port           = 443
  184      protocol          = "tcp"
  185  [   cidr_blocks       = ["0.0.0.0/0"]
  186      security_group_id = aws_security_group.weblogic_service.id
  187    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:69
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_instance" "db_ec2_primary_instance" {
   ..  
   69  [     http_tokens   = "optional" ("optional")
   ..  
   94    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Results #16-19 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:27-36
────────────────────────────────────────────────────────────────────────────────
   24    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   25      statement {
   26        effect = "Allow"
   27  ┌     actions = [
   28  │       "kms:Encrypt",
   29  │       "kms:Decrypt",
   30  │       "kms:ReEncrypt*",
   31  │       "kms:GenerateDataKey*",
   32  └       "kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_iam.tf:24-41 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:44-46
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44  ┌     actions = [
   45  │       "s3:*"
   46  └     ]
   47        resources = [
   48          "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource 'd617d3b6-4744-4e1e-b010-0a12fe6006c7' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44        actions = [
   45          "s3:*"
   46        ]
   47  ┌     resources = [
   48  └       "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #24-26 HIGH IAM policy document uses wildcarded action 'backup:*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:51-55
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   51  ┌     actions = [
   52  │       "backup:*",
   53  │       "datasync:*",
   54  │       "elasticfilesystem:*",
   55  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_datasync.tf:48-67 (data.aws_iam_policy_document.ldap_datasync_role_access) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'backup:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:56
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   56  [     resources = ["*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #28 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:61
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   61  [     actions = ["s3:*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #29 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '70ea50ac-2371-47e2-9439-41bef2b34b18' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:62-65
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   62  ┌     resources = [
   63  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
   64  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
   65  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #30 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #31-32 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173  │       "elasticloadbalancing:Describe*",
  174  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #33 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210  │       "s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #34 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #35-36 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170
   via ldap_datasync.tf:96-110 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
  167    resource "aws_s3_bucket_versioning" "default" {
  168      bucket = aws_s3_bucket.default.id
  169      versioning_configuration {
  170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  171      }
  172    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-38 (module.s3_bucket_oracledb_backups)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:96-110 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #37 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #38 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #39 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #40 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 5
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #41 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:55-62
────────────────────────────────────────────────────────────────────────────────
   55    resource "aws_security_group_rule" "efs_ingress" {
   56      type                     = "ingress"
   57      from_port                = 2049
   58      to_port                  = 2049
   59      protocol                 = "tcp"
   60      source_security_group_id = aws_security_group.ldap.id
   61      security_group_id        = aws_security_group.ldap_efs.id
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #42 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:64-71
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "efs_egress" {
   65      type              = "egress"
   66      from_port         = 0
   67      to_port           = 0
   68      protocol          = "all"
   69      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   70      security_group_id = aws_security_group.ldap_efs.id
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #43 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:199-203
────────────────────────────────────────────────────────────────────────────────
  199    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  200      name              = var.weblogic_config.frontend_fully_qualified_name
  201      retention_in_days = 7
  202      tags              = local.tags
  203    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             2.418443ms
  parsing              1.70856503s
  adaptation           22.374539ms
  checks               12.765694ms
  total                1.746123706s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    14
  blocks processed     649
  files read           74

  results
  ──────────────────────────────────────────
  passed               223
  ignored              20
  critical             2
  high                 32
  medium               2
  low                  7

  223 passed, 20 ignored, 43 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-10-13 06:34:16,716 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:34:16,716 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:34:16,717 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:34:16,717 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 643, Failed checks: 77, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_ec2_primary_instance
	File: /db_ec2.tf:54-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		54 | resource "aws_instance" "db_ec2_primary_instance" {
		55 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		56 |   instance_type               = var.db_config.instance.instance_type
		57 |   ami                         = data.aws_ami.oracle_db_ami.id
		58 |   vpc_security_group_ids      = [aws_security_group.db_ec2_instance_sg.id]
		59 |   subnet_id                   = var.account_config.data_subnet_a_id
		60 |   iam_instance_profile        = aws_iam_instance_profile.db_ec2_instanceprofile.name
		61 |   associate_public_ip_address = false
		62 |   monitoring                  = var.db_config.instance.monitoring
		63 |   ebs_optimized               = true
		64 |   key_name                    = aws_key_pair.environment_ec2_user_key_pair.key_name
		65 |   user_data_base64            = var.db_config.user_data_raw
		66 | 
		67 |   metadata_options {
		68 |     http_endpoint = "enabled"
		69 |     http_tokens   = "optional"
		70 |   }
		71 | 
		72 |   root_block_device {
		73 |     volume_type = var.db_config.ebs_volumes.root_volume.volume_type
		74 |     volume_size = var.db_config.ebs_volumes.root_volume.volume_size
		75 |     iops        = var.db_config.ebs_volumes.iops
		76 |     throughput  = var.db_config.ebs_volumes.throughput
		77 |     encrypted   = true
		78 |     kms_key_id  = var.db_config.ebs_volumes.kms_key_id
		79 |     tags        = local.tags
		80 |   }
		81 | 
		82 |   dynamic "ephemeral_block_device" {
		83 |     for_each = { for k, v in var.db_config.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		84 |     content {
		85 |       device_name = ephemeral_block_device.key
		86 |       no_device   = true
		87 |     }
		88 |   }
		89 |   tags = merge(local.tags,
		90 |     { Name = lower(format("%s-%s-1", var.env_name, var.db_config.name)) },
		91 |     { server-type = "delius_core_db" },
		92 |     { database = "delius_primarydb" }
		93 |   )
		94 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /db_s3.tf:1-38
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /ldap_datasync.tf:96-110
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		96  | module "s3_bucket_ldap_data_refresh" {
		97  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		98  |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		99  |   versioning_enabled  = false
		100 |   ownership_controls  = "BucketOwnerEnforced"
		101 |   replication_enabled = false
		102 |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		103 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		104 | 
		105 |   providers = {
		106 |     aws.bucket-replication = aws.bucket-replication
		107 |   }
		108 | 
		109 |   tags = local.tags
		110 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:55-62
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		55 | resource "aws_security_group_rule" "efs_ingress" {
		56 |   type                     = "ingress"
		57 |   from_port                = 2049
		58 |   to_port                  = 2049
		59 |   protocol                 = "tcp"
		60 |   source_security_group_id = aws_security_group.ldap.id
		61 |   security_group_id        = aws_security_group.ldap_efs.id
		62 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:64-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group_rule" "efs_egress" {
		65 |   type              = "egress"
		66 |   from_port         = 0
		67 |   to_port           = 0
		68 |   protocol          = "all"
		69 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		70 |   security_group_id = aws_security_group.ldap_efs.id
		71 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:39-51
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "delius_core_frontend" {
		40 |   # checkov:skip=CKV_AWS_91
		41 |   # checkov:skip=CKV2_AWS_28
		42 | 
		43 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		44 |   internal           = false
		45 |   load_balancer_type = "application"
		46 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		47 |   subnets            = var.account_config.public_subnet_ids
		48 | 
		49 |   enable_deletion_protection = false
		50 |   drop_invalid_header_fields = true
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.26.95"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.delius_db_security_group
	File: /db_service.tf:80-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		80 | resource "aws_security_group" "delius_db_security_group" {
		81 |   name        = format("%s - Delius Core DB", var.env_name)
		82 |   description = "Rules for the delius testing db ecs service"
		83 |   vpc_id      = var.account_config.shared_vpc_id
		84 |   tags        = local.tags
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic_service
	File: /weblogic_service.tf:114-122
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		114 | resource "aws_security_group" "weblogic_service" {
		115 |   name        = format("%s - Delius Core Weblogic service", var.env_name)
		116 |   description = "Security group for the ${var.env_name} weblogic service"
		117 |   vpc_id      = var.account_info.vpc_id
		118 |   tags        = local.tags
		119 |   lifecycle {
		120 |     create_before_destroy = true
		121 |   }
		122 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/db_s3.tf line 48:
  48:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 63:
  63:       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 76:
  76:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

github-actions · 2023-10-13T06:37:44Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:185
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  180      description       = "Allow all outbound traffic to any IPv4 address on 443"
  181      type              = "egress"
  182      from_port         = 443
  183      to_port           = 443
  184      protocol          = "tcp"
  185  [   cidr_blocks       = ["0.0.0.0/0"]
  186      security_group_id = aws_security_group.weblogic_service.id
  187    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:69
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_instance" "db_ec2_primary_instance" {
   ..  
   69  [     http_tokens   = "optional" ("optional")
   ..  
   94    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Results #16-19 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:27-36
────────────────────────────────────────────────────────────────────────────────
   24    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   25      statement {
   26        effect = "Allow"
   27  ┌     actions = [
   28  │       "kms:Encrypt",
   29  │       "kms:Decrypt",
   30  │       "kms:ReEncrypt*",
   31  │       "kms:GenerateDataKey*",
   32  └       "kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_iam.tf:24-41 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:44-46
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44  ┌     actions = [
   45  │       "s3:*"
   46  └     ]
   47        resources = [
   48          "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource 'd755f795-0455-4206-b9b8-f202c2dbaf3b' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44        actions = [
   45          "s3:*"
   46        ]
   47  ┌     resources = [
   48  └       "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #24-26 HIGH IAM policy document uses wildcarded action 'backup:*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:51-55
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   51  ┌     actions = [
   52  │       "backup:*",
   53  │       "datasync:*",
   54  │       "elasticfilesystem:*",
   55  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_datasync.tf:48-67 (data.aws_iam_policy_document.ldap_datasync_role_access) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'backup:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:56
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   56  [     resources = ["*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #28 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:61
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   61  [     actions = ["s3:*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #29 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource 'd54c51d7-448f-4d5e-8b27-134d71e62995' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:62-65
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   62  ┌     resources = [
   63  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
   64  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
   65  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #30 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #31-32 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173  │       "elasticloadbalancing:Describe*",
  174  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #33 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210  │       "s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #34 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #35-36 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170
   via ldap_datasync.tf:96-110 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
  167    resource "aws_s3_bucket_versioning" "default" {
  168      bucket = aws_s3_bucket.default.id
  169      versioning_configuration {
  170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  171      }
  172    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:96-110 (module.s3_bucket_ldap_data_refresh)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-38 (module.s3_bucket_oracledb_backups)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #37 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #38 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #39 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #40 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 5
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #41 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:55-62
────────────────────────────────────────────────────────────────────────────────
   55    resource "aws_security_group_rule" "efs_ingress" {
   56      type                     = "ingress"
   57      from_port                = 2049
   58      to_port                  = 2049
   59      protocol                 = "tcp"
   60      source_security_group_id = aws_security_group.ldap.id
   61      security_group_id        = aws_security_group.ldap_efs.id
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #42 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:64-71
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "efs_egress" {
   65      type              = "egress"
   66      from_port         = 0
   67      to_port           = 0
   68      protocol          = "all"
   69      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   70      security_group_id = aws_security_group.ldap_efs.id
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #43 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:199-203
────────────────────────────────────────────────────────────────────────────────
  199    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  200      name              = var.weblogic_config.frontend_fully_qualified_name
  201      retention_in_days = 7
  202      tags              = local.tags
  203    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             2.299312ms
  parsing              1.662331077s
  adaptation           18.221387ms
  checks               17.182581ms
  total                1.700034357s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    14
  blocks processed     649
  files read           74

  results
  ──────────────────────────────────────────
  passed               223
  ignored              20
  critical             2
  high                 32
  medium               2
  low                  7

  223 passed, 20 ignored, 43 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-10-13 06:37:41,648 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:37:41,648 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:37:41,649 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:37:41,649 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 643, Failed checks: 77, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_ec2_primary_instance
	File: /db_ec2.tf:54-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		54 | resource "aws_instance" "db_ec2_primary_instance" {
		55 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		56 |   instance_type               = var.db_config.instance.instance_type
		57 |   ami                         = data.aws_ami.oracle_db_ami.id
		58 |   vpc_security_group_ids      = [aws_security_group.db_ec2_instance_sg.id]
		59 |   subnet_id                   = var.account_config.data_subnet_a_id
		60 |   iam_instance_profile        = aws_iam_instance_profile.db_ec2_instanceprofile.name
		61 |   associate_public_ip_address = false
		62 |   monitoring                  = var.db_config.instance.monitoring
		63 |   ebs_optimized               = true
		64 |   key_name                    = aws_key_pair.environment_ec2_user_key_pair.key_name
		65 |   user_data_base64            = var.db_config.user_data_raw
		66 | 
		67 |   metadata_options {
		68 |     http_endpoint = "enabled"
		69 |     http_tokens   = "optional"
		70 |   }
		71 | 
		72 |   root_block_device {
		73 |     volume_type = var.db_config.ebs_volumes.root_volume.volume_type
		74 |     volume_size = var.db_config.ebs_volumes.root_volume.volume_size
		75 |     iops        = var.db_config.ebs_volumes.iops
		76 |     throughput  = var.db_config.ebs_volumes.throughput
		77 |     encrypted   = true
		78 |     kms_key_id  = var.db_config.ebs_volumes.kms_key_id
		79 |     tags        = local.tags
		80 |   }
		81 | 
		82 |   dynamic "ephemeral_block_device" {
		83 |     for_each = { for k, v in var.db_config.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		84 |     content {
		85 |       device_name = ephemeral_block_device.key
		86 |       no_device   = true
		87 |     }
		88 |   }
		89 |   tags = merge(local.tags,
		90 |     { Name = lower(format("%s-%s-1", var.env_name, var.db_config.name)) },
		91 |     { server-type = "delius_core_db" },
		92 |     { database = "delius_primarydb" }
		93 |   )
		94 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /db_s3.tf:1-38
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /ldap_datasync.tf:96-110
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		96  | module "s3_bucket_ldap_data_refresh" {
		97  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		98  |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		99  |   versioning_enabled  = false
		100 |   ownership_controls  = "BucketOwnerEnforced"
		101 |   replication_enabled = false
		102 |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		103 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		104 | 
		105 |   providers = {
		106 |     aws.bucket-replication = aws.bucket-replication
		107 |   }
		108 | 
		109 |   tags = local.tags
		110 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:55-62
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		55 | resource "aws_security_group_rule" "efs_ingress" {
		56 |   type                     = "ingress"
		57 |   from_port                = 2049
		58 |   to_port                  = 2049
		59 |   protocol                 = "tcp"
		60 |   source_security_group_id = aws_security_group.ldap.id
		61 |   security_group_id        = aws_security_group.ldap_efs.id
		62 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:64-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group_rule" "efs_egress" {
		65 |   type              = "egress"
		66 |   from_port         = 0
		67 |   to_port           = 0
		68 |   protocol          = "all"
		69 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		70 |   security_group_id = aws_security_group.ldap_efs.id
		71 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:39-51
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "delius_core_frontend" {
		40 |   # checkov:skip=CKV_AWS_91
		41 |   # checkov:skip=CKV2_AWS_28
		42 | 
		43 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		44 |   internal           = false
		45 |   load_balancer_type = "application"
		46 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		47 |   subnets            = var.account_config.public_subnet_ids
		48 | 
		49 |   enable_deletion_protection = false
		50 |   drop_invalid_header_fields = true
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.26.95"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.delius_db_security_group
	File: /db_service.tf:80-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		80 | resource "aws_security_group" "delius_db_security_group" {
		81 |   name        = format("%s - Delius Core DB", var.env_name)
		82 |   description = "Rules for the delius testing db ecs service"
		83 |   vpc_id      = var.account_config.shared_vpc_id
		84 |   tags        = local.tags
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic_service
	File: /weblogic_service.tf:114-122
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		114 | resource "aws_security_group" "weblogic_service" {
		115 |   name        = format("%s - Delius Core Weblogic service", var.env_name)
		116 |   description = "Security group for the ${var.env_name} weblogic service"
		117 |   vpc_id      = var.account_info.vpc_id
		118 |   tags        = local.tags
		119 |   lifecycle {
		120 |     create_before_destroy = true
		121 |   }
		122 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/db_s3.tf line 48:
  48:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 63:
  63:       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 76:
  76:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

github-actions · 2023-10-13T06:44:05Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:185
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  180      description       = "Allow all outbound traffic to any IPv4 address on 443"
  181      type              = "egress"
  182      from_port         = 443
  183      to_port           = 443
  184      protocol          = "tcp"
  185  [   cidr_blocks       = ["0.0.0.0/0"]
  186      security_group_id = aws_security_group.weblogic_service.id
  187    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:69
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_instance" "db_ec2_primary_instance" {
   ..  
   69  [     http_tokens   = "optional" ("optional")
   ..  
   94    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Results #16-19 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:27-36
────────────────────────────────────────────────────────────────────────────────
   24    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   25      statement {
   26        effect = "Allow"
   27  ┌     actions = [
   28  │       "kms:Encrypt",
   29  │       "kms:Decrypt",
   30  │       "kms:ReEncrypt*",
   31  │       "kms:GenerateDataKey*",
   32  └       "kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_iam.tf:24-41 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:44-46
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44  ┌     actions = [
   45  │       "s3:*"
   46  └     ]
   47        resources = [
   48          "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource 'e2dfbb75-f7a4-45f9-a4b7-762277fb16c5' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44        actions = [
   45          "s3:*"
   46        ]
   47  ┌     resources = [
   48  └       "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #24-26 HIGH IAM policy document uses wildcarded action 'backup:*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:51-55
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   51  ┌     actions = [
   52  │       "backup:*",
   53  │       "datasync:*",
   54  │       "elasticfilesystem:*",
   55  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_datasync.tf:48-67 (data.aws_iam_policy_document.ldap_datasync_role_access) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'backup:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:56
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   56  [     resources = ["*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #28 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:61
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   61  [     actions = ["s3:*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #29 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '88f934a8-5a14-4871-9686-c767f8feb7c0' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:62-65
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   62  ┌     resources = [
   63  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
   64  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
   65  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #30 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #31-32 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173  │       "elasticloadbalancing:Describe*",
  174  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #33 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210  │       "s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #34 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #35-36 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170
   via db_s3.tf:1-38 (module.s3_bucket_oracledb_backups)
────────────────────────────────────────────────────────────────────────────────
  167    resource "aws_s3_bucket_versioning" "default" {
  168      bucket = aws_s3_bucket.default.id
  169      versioning_configuration {
  170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  171      }
  172    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-38 (module.s3_bucket_oracledb_backups)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:96-110 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #37 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #38 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #39 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #40 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 5
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #41 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:55-62
────────────────────────────────────────────────────────────────────────────────
   55    resource "aws_security_group_rule" "efs_ingress" {
   56      type                     = "ingress"
   57      from_port                = 2049
   58      to_port                  = 2049
   59      protocol                 = "tcp"
   60      source_security_group_id = aws_security_group.ldap.id
   61      security_group_id        = aws_security_group.ldap_efs.id
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #42 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:64-71
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "efs_egress" {
   65      type              = "egress"
   66      from_port         = 0
   67      to_port           = 0
   68      protocol          = "all"
   69      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   70      security_group_id = aws_security_group.ldap_efs.id
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #43 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:199-203
────────────────────────────────────────────────────────────────────────────────
  199    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  200      name              = var.weblogic_config.frontend_fully_qualified_name
  201      retention_in_days = 7
  202      tags              = local.tags
  203    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.801508ms
  parsing              1.676810304s
  adaptation           25.612565ms
  checks               11.127529ms
  total                1.715351906s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    14
  blocks processed     649
  files read           74

  results
  ──────────────────────────────────────────
  passed               223
  ignored              20
  critical             2
  high                 32
  medium               2
  low                  7

  223 passed, 20 ignored, 43 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-10-13 06:44:01,808 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:44:01,808 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:44:01,808 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:44:01,809 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 643, Failed checks: 77, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_ec2_primary_instance
	File: /db_ec2.tf:54-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		54 | resource "aws_instance" "db_ec2_primary_instance" {
		55 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		56 |   instance_type               = var.db_config.instance.instance_type
		57 |   ami                         = data.aws_ami.oracle_db_ami.id
		58 |   vpc_security_group_ids      = [aws_security_group.db_ec2_instance_sg.id]
		59 |   subnet_id                   = var.account_config.data_subnet_a_id
		60 |   iam_instance_profile        = aws_iam_instance_profile.db_ec2_instanceprofile.name
		61 |   associate_public_ip_address = false
		62 |   monitoring                  = var.db_config.instance.monitoring
		63 |   ebs_optimized               = true
		64 |   key_name                    = aws_key_pair.environment_ec2_user_key_pair.key_name
		65 |   user_data_base64            = var.db_config.user_data_raw
		66 | 
		67 |   metadata_options {
		68 |     http_endpoint = "enabled"
		69 |     http_tokens   = "optional"
		70 |   }
		71 | 
		72 |   root_block_device {
		73 |     volume_type = var.db_config.ebs_volumes.root_volume.volume_type
		74 |     volume_size = var.db_config.ebs_volumes.root_volume.volume_size
		75 |     iops        = var.db_config.ebs_volumes.iops
		76 |     throughput  = var.db_config.ebs_volumes.throughput
		77 |     encrypted   = true
		78 |     kms_key_id  = var.db_config.ebs_volumes.kms_key_id
		79 |     tags        = local.tags
		80 |   }
		81 | 
		82 |   dynamic "ephemeral_block_device" {
		83 |     for_each = { for k, v in var.db_config.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		84 |     content {
		85 |       device_name = ephemeral_block_device.key
		86 |       no_device   = true
		87 |     }
		88 |   }
		89 |   tags = merge(local.tags,
		90 |     { Name = lower(format("%s-%s-1", var.env_name, var.db_config.name)) },
		91 |     { server-type = "delius_core_db" },
		92 |     { database = "delius_primarydb" }
		93 |   )
		94 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /db_s3.tf:1-38
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /ldap_datasync.tf:96-110
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		96  | module "s3_bucket_ldap_data_refresh" {
		97  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		98  |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		99  |   versioning_enabled  = false
		100 |   ownership_controls  = "BucketOwnerEnforced"
		101 |   replication_enabled = false
		102 |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		103 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		104 | 
		105 |   providers = {
		106 |     aws.bucket-replication = aws.bucket-replication
		107 |   }
		108 | 
		109 |   tags = local.tags
		110 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:55-62
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		55 | resource "aws_security_group_rule" "efs_ingress" {
		56 |   type                     = "ingress"
		57 |   from_port                = 2049
		58 |   to_port                  = 2049
		59 |   protocol                 = "tcp"
		60 |   source_security_group_id = aws_security_group.ldap.id
		61 |   security_group_id        = aws_security_group.ldap_efs.id
		62 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:64-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group_rule" "efs_egress" {
		65 |   type              = "egress"
		66 |   from_port         = 0
		67 |   to_port           = 0
		68 |   protocol          = "all"
		69 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		70 |   security_group_id = aws_security_group.ldap_efs.id
		71 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:39-51
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "delius_core_frontend" {
		40 |   # checkov:skip=CKV_AWS_91
		41 |   # checkov:skip=CKV2_AWS_28
		42 | 
		43 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		44 |   internal           = false
		45 |   load_balancer_type = "application"
		46 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		47 |   subnets            = var.account_config.public_subnet_ids
		48 | 
		49 |   enable_deletion_protection = false
		50 |   drop_invalid_header_fields = true
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.26.95"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.delius_db_security_group
	File: /db_service.tf:80-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		80 | resource "aws_security_group" "delius_db_security_group" {
		81 |   name        = format("%s - Delius Core DB", var.env_name)
		82 |   description = "Rules for the delius testing db ecs service"
		83 |   vpc_id      = var.account_config.shared_vpc_id
		84 |   tags        = local.tags
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic_service
	File: /weblogic_service.tf:114-122
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		114 | resource "aws_security_group" "weblogic_service" {
		115 |   name        = format("%s - Delius Core Weblogic service", var.env_name)
		116 |   description = "Security group for the ${var.env_name} weblogic service"
		117 |   vpc_id      = var.account_info.vpc_id
		118 |   tags        = local.tags
		119 |   lifecycle {
		120 |     create_before_destroy = true
		121 |   }
		122 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/db_s3.tf line 48:
  48:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 63:
  63:       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 76:
  76:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

github-actions · 2023-10-13T06:52:51Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running TFSEC in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:89
────────────────────────────────────────────────────────────────────────────────
   83    resource "aws_security_group_rule" "allow_all_egress" {
   84      description       = "Allow all outbound traffic to any IPv4 address"
   85      type              = "egress"
   86      from_port         = 0
   87      to_port           = 0
   88      protocol          = "-1"
   89  [   cidr_blocks       = ["0.0.0.0/0"]
   90      security_group_id = aws_security_group.ldap.id
   91    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:185
────────────────────────────────────────────────────────────────────────────────
  179    resource "aws_security_group_rule" "weblogic_allow_all_egress" {
  180      description       = "Allow all outbound traffic to any IPv4 address on 443"
  181      type              = "egress"
  182      from_port         = 443
  183      to_port           = 443
  184      protocol          = "tcp"
  185  [   cidr_blocks       = ["0.0.0.0/0"]
  186      security_group_id = aws_security_group.weblogic_service.id
  187    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #3-5 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:107
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
  104    data "aws_iam_policy_document" "task_exec" {
  ...  
  107  [     resources = ["*"]
  ...  
  121    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #6-8 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:46
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   ..  
   46  [     resources = ["*"]
   ..  
   58    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-14 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  ../ecs_policies/main.tf:48-56
   via ldap_ecs.tf:1-14 (module.ldap_ecs_policies)
────────────────────────────────────────────────────────────────────────────────
   43    data "aws_iam_policy_document" "service_policy" {
   44      statement {
   45        effect    = "Allow"
   46        resources = ["*"]
   47    
   48  ┌     actions = concat([
   49  │       "elasticloadbalancing:Describe*",
   50  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
   51  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ../ecs_policies/main.tf:1-14 (module.ldap_ecs_policies) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #15 HIGH Instance does not require IMDS access to require a token 
────────────────────────────────────────────────────────────────────────────────
  db_ec2.tf:69
────────────────────────────────────────────────────────────────────────────────
   54    resource "aws_instance" "db_ec2_primary_instance" {
   ..  
   69  [     http_tokens   = "optional" ("optional")
   ..  
   94    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-enforce-http-token-imds
      Impact Instance metadata service can be interacted with freely
  Resolution Enable HTTP token requirement for IMDS

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/enforce-http-token-imds/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options
────────────────────────────────────────────────────────────────────────────────


Results #16-19 HIGH IAM policy document uses wildcarded action 'kms:Encrypt' (4 similar results)
────────────────────────────────────────────────────────────────────────────────
  db_iam.tf:27-36
────────────────────────────────────────────────────────────────────────────────
   24    data "aws_iam_policy_document" "business_unit_kms_key_access" {
   25      statement {
   26        effect = "Allow"
   27  ┌     actions = [
   28  │       "kms:Encrypt",
   29  │       "kms:Decrypt",
   30  │       "kms:ReEncrypt*",
   31  │       "kms:GenerateDataKey*",
   32  └       "kms:DescribeKey",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - db_iam.tf:24-41 (data.aws_iam_policy_document.business_unit_kms_key_access) 4 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:44-46
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44  ┌     actions = [
   45  │       "s3:*"
   46  └     ]
   47        resources = [
   48          "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '2b1aae84-8d26-4e54-81a2-5a120bd74ce3' 
────────────────────────────────────────────────────────────────────────────────
  db_s3.tf:47-50
────────────────────────────────────────────────────────────────────────────────
   40    data "aws_iam_policy_document" "oracledb_backup_bucket_access" {
   41      statement {
   42        sid    = "allowAccessToOracleDbBackupBucket"
   43        effect = "Allow"
   44        actions = [
   45          "s3:*"
   46        ]
   47  ┌     resources = [
   48  └       "${module.s3_bucket_oracledb_backups.bucket.arn}",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH IAM policy document uses sensitive action 'efs:DescribeFileSystems' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:100
────────────────────────────────────────────────────────────────────────────────
   97    data "aws_iam_policy_document" "efs_backup_policy" {
   ..  
  100  [     resources = ["*"]
  ...  
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH IAM policy document uses sensitive action 'backup:CreateBackupPlan' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_backups.tf:72
────────────────────────────────────────────────────────────────────────────────
   69    data "aws_iam_policy_document" "delius_core_backup_policy" {
   ..  
   72  [     resources = ["*"]
   ..  
   89    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #24-26 HIGH IAM policy document uses wildcarded action 'backup:*' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:51-55
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   51  ┌     actions = [
   52  │       "backup:*",
   53  │       "datasync:*",
   54  │       "elasticfilesystem:*",
   55  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_datasync.tf:48-67 (data.aws_iam_policy_document.ldap_datasync_role_access) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #27 HIGH IAM policy document uses sensitive action 'backup:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:56
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   56  [     resources = ["*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #28 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:61
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   61  [     actions = ["s3:*"]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #29 HIGH IAM policy document uses sensitive action 's3:*' on wildcarded resource '089bc0ba-c110-447d-b993-a06a59023cd9' 
────────────────────────────────────────────────────────────────────────────────
  ldap_datasync.tf:62-65
────────────────────────────────────────────────────────────────────────────────
   48    data "aws_iam_policy_document" "ldap_datasync_role_access" {
   ..  
   62  ┌     resources = [
   63  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
   64  │       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
   65  └     ]
   ..  
   67    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #30 HIGH IAM policy document uses sensitive action 'elasticloadbalancing:Describe*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:170
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  ...  
  170  [     resources = ["*"]
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #31-32 HIGH IAM policy document uses wildcarded action 'elasticloadbalancing:Describe*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:172-180
────────────────────────────────────────────────────────────────────────────────
  167    data "aws_iam_policy_document" "ecs_service_policy" {
  168      statement {
  169        effect    = "Allow"
  170        resources = ["*"]
  171    
  172  ┌     actions = [
  173  │       "elasticloadbalancing:Describe*",
  174  │       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
  175  └       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ldap_ecs.tf:167-182 (data.aws_iam_policy_document.ecs_service_policy) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #33 HIGH IAM policy document uses wildcarded action 's3:*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:209-211
────────────────────────────────────────────────────────────────────────────────
  204    data "aws_iam_policy_document" "ecs_s3" {
  205      statement {
  206        effect    = "Allow"
  207        resources = [module.s3_bucket_migration.bucket.arn]
  208    
  209  ┌     actions = [
  210  │       "s3:*"
  211  └     ]
  212      }
  213    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #34 HIGH IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:248
────────────────────────────────────────────────────────────────────────────────
  245    data "aws_iam_policy_document" "ecs_exec" {
  ...  
  248  [     resources = ["*"]
  ...  
  262    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #35-36 MEDIUM Bucket does not have versioning enabled (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170
   via db_s3.tf:1-38 (module.s3_bucket_oracledb_backups)
────────────────────────────────────────────────────────────────────────────────
  167    resource "aws_s3_bucket_versioning" "default" {
  168      bucket = aws_s3_bucket.default.id
  169      versioning_configuration {
  170  [     status = (var.versioning_enabled != true) ? "Suspended" : "Enabled"
  171      }
  172    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:1-38 (module.s3_bucket_oracledb_backups)
  - github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:96-110 (module.s3_bucket_ldap_data_refresh)
────────────────────────────────────────────────────────────────────────────────
          ID aws-s3-enable-versioning
      Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
────────────────────────────────────────────────────────────────────────────────


Result #37 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  db_service.tf:114-118
────────────────────────────────────────────────────────────────────────────────
  114    resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
  115      name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
  116      retention_in_days = 7
  117      tags              = local.tags
  118    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #38 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:113-120
────────────────────────────────────────────────────────────────────────────────
  113    resource "aws_security_group_rule" "efs_ingress_ldap" {
  114      type                     = "ingress"
  115      from_port                = 2049
  116      to_port                  = 2049
  117      protocol                 = "tcp"
  118      source_security_group_id = aws_security_group.ldap_efs.id
  119      security_group_id        = aws_security_group.ldap.id
  120    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #39 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:122-125
────────────────────────────────────────────────────────────────────────────────
  122    resource "aws_cloudwatch_log_group" "ldap" {
  123      name              = "${var.env_name}-ldap-ecs"
  124      retention_in_days = 30
  125    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #40 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ldap_ecs.tf:271-274
────────────────────────────────────────────────────────────────────────────────
  271    resource "aws_cloudwatch_log_group" "ldap_test" {
  272      name              = "/ecs/ldap_${var.env_name}"
  273      retention_in_days = 5
  274    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #41 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:55-62
────────────────────────────────────────────────────────────────────────────────
   55    resource "aws_security_group_rule" "efs_ingress" {
   56      type                     = "ingress"
   57      from_port                = 2049
   58      to_port                  = 2049
   59      protocol                 = "tcp"
   60      source_security_group_id = aws_security_group.ldap.id
   61      security_group_id        = aws_security_group.ldap_efs.id
   62    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #42 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ldap_efs.tf:64-71
────────────────────────────────────────────────────────────────────────────────
   64    resource "aws_security_group_rule" "efs_egress" {
   65      type              = "egress"
   66      from_port         = 0
   67      to_port           = 0
   68      protocol          = "all"
   69      cidr_blocks       = [var.account_config.shared_vpc_cidr]
   70      security_group_id = aws_security_group.ldap_efs.id
   71    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #43 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  weblogic_service.tf:199-203
────────────────────────────────────────────────────────────────────────────────
  199    resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
  200      name              = var.weblogic_config.frontend_fully_qualified_name
  201      retention_in_days = 7
  202      tags              = local.tags
  203    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             2.207562ms
  parsing              2.540800465s
  adaptation           28.320567ms
  checks               12.163688ms
  total                2.583492282s

  counts
  ──────────────────────────────────────────
  modules downloaded   4
  modules processed    14
  blocks processed     649
  files read           74

  results
  ──────────────────────────────────────────
  passed               223
  ignored              20
  critical             2
  high                 32
  medium               2
  low                  7

  223 passed, 20 ignored, 43 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running Checkov in terraform/environments/delius-core/modules/environment_all_components
2023-10-13 06:52:47,833 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:52:47,833 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:52:47,833 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
2023-10-13 06:52:47,833 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=c195026bcf0a1958fa4d3cc2efefc56ed876507e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 643, Failed checks: 77, Skipped checks: 4

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.db_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /db_service.tf:27-33

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ldap_ecs.tf:1-14

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /weblogic_service.tf:65-70

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.db_ec2_primary_instance
	File: /db_ec2.tf:54-94
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-31.html

		54 | resource "aws_instance" "db_ec2_primary_instance" {
		55 |   #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either."
		56 |   instance_type               = var.db_config.instance.instance_type
		57 |   ami                         = data.aws_ami.oracle_db_ami.id
		58 |   vpc_security_group_ids      = [aws_security_group.db_ec2_instance_sg.id]
		59 |   subnet_id                   = var.account_config.data_subnet_a_id
		60 |   iam_instance_profile        = aws_iam_instance_profile.db_ec2_instanceprofile.name
		61 |   associate_public_ip_address = false
		62 |   monitoring                  = var.db_config.instance.monitoring
		63 |   ebs_optimized               = true
		64 |   key_name                    = aws_key_pair.environment_ec2_user_key_pair.key_name
		65 |   user_data_base64            = var.db_config.user_data_raw
		66 | 
		67 |   metadata_options {
		68 |     http_endpoint = "enabled"
		69 |     http_tokens   = "optional"
		70 |   }
		71 | 
		72 |   root_block_device {
		73 |     volume_type = var.db_config.ebs_volumes.root_volume.volume_type
		74 |     volume_size = var.db_config.ebs_volumes.root_volume.volume_size
		75 |     iops        = var.db_config.ebs_volumes.iops
		76 |     throughput  = var.db_config.ebs_volumes.throughput
		77 |     encrypted   = true
		78 |     kms_key_id  = var.db_config.ebs_volumes.kms_key_id
		79 |     tags        = local.tags
		80 |   }
		81 | 
		82 |   dynamic "ephemeral_block_device" {
		83 |     for_each = { for k, v in var.db_config.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true }
		84 |     content {
		85 |       device_name = ephemeral_block_device.key
		86 |       no_device   = true
		87 |     }
		88 |   }
		89 |   tags = merge(local.tags,
		90 |     { Name = lower(format("%s-%s-1", var.env_name, var.db_config.name)) },
		91 |     { server-type = "delius_core_db" },
		92 |     { database = "delius_primarydb" }
		93 |   )
		94 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /db_s3.tf:1-38
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "s3_bucket_oracledb_backups" {
		2  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		3  |   bucket_name         = "${var.env_name}-oracle-database-backups"
		4  |   versioning_enabled  = false
		5  |   ownership_controls  = "BucketOwnerEnforced"
		6  |   replication_enabled = false
		7  |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		8  | 
		9  |   providers = {
		10 |     aws.bucket-replication = aws.bucket-replication
		11 |   }
		12 | 
		13 |   lifecycle_rule = [
		14 |     {
		15 |       id      = "main"
		16 |       enabled = "Enabled"
		17 |       prefix  = ""
		18 | 
		19 |       tags = {
		20 |         rule      = "log"
		21 |         autoclean = "true"
		22 |       }
		23 | 
		24 |       transition = [
		25 |         {
		26 |           days          = 90
		27 |           storage_class = "STANDARD_IA"
		28 |         }
		29 |       ]
		30 | 
		31 |       expiration = {
		32 |         days = 365
		33 |       }
		34 |     }
		35 |   ]
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_testing_db_log_group
	File: /db_service.tf:114-118
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		114 | resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" {
		115 |   name              = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name)
		116 |   retention_in_days = 7
		117 |   tags              = local.tags
		118 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: testing_db_container
	File: /db_service.tf:1-25
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		1  | module "testing_db_container" {
		2  |   count                    = var.env_name == "dev" ? 1 : 0
		3  |   source                   = "git::https://github.com/cloudposse/terraform-aws-ecs-container-definition.git?ref=tags/0.59.0"
		4  |   container_name           = "${var.env_name}-${var.delius_db_container_config.fully_qualified_name}"
		5  |   container_image          = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/${var.delius_db_container_config.image_name}-ecr-repo:${var.delius_db_container_config.image_tag}"
		6  |   container_memory         = 4096
		7  |   container_cpu            = 1024
		8  |   essential                = true
		9  |   readonly_root_filesystem = false
		10 |   port_mappings = [
		11 |     {
		12 |       containerPort = var.delius_db_container_config.port
		13 |       hostPort      = var.delius_db_container_config.port
		14 |       protocol      = "tcp"
		15 |     },
		16 |   ]
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.delius_core_testing_db_log_group.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = var.delius_db_container_config.fully_qualified_name
		23 |     }
		24 |   }
		25 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /ldap_backups.tf:69-89

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /ldap_backups.tf:97-134

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /ldap_backups.tf:1-9
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk.html

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-backup-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /ldap_datasync.tf:48-67

		48 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		49 |   statement {
		50 |     effect = "Allow"
		51 |     actions = [
		52 |       "backup:*",
		53 |       "datasync:*",
		54 |       "elasticfilesystem:*",
		55 |     ]
		56 |     resources = ["*"]
		57 |   }
		58 |   statement {
		59 |     sid     = "allowAccessForDataSync"
		60 |     effect  = "Allow"
		61 |     actions = ["s3:*"]
		62 |     resources = [
		63 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",
		64 |       "${module.s3_bucket_ldap_data_refresh.bucket.arn}/*",
		65 |     ]
		66 |   }
		67 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /ldap_datasync.tf:96-110
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		96  | module "s3_bucket_ldap_data_refresh" {
		97  |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		98  |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		99  |   versioning_enabled  = false
		100 |   ownership_controls  = "BucketOwnerEnforced"
		101 |   replication_enabled = false
		102 |   custom_kms_key      = var.account_config.general_shared_kms_key_arn
		103 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		104 | 
		105 |   providers = {
		106 |     aws.bucket-replication = aws.bucket-replication
		107 |   }
		108 | 
		109 |   tags = local.tags
		110 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /ldap_ecs.tf:167-182

		167 | data "aws_iam_policy_document" "ecs_service_policy" {
		168 |   statement {
		169 |     effect    = "Allow"
		170 |     resources = ["*"]
		171 | 
		172 |     actions = [
		173 |       "elasticloadbalancing:Describe*",
		174 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		175 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		176 |       "ec2:Describe*",
		177 |       "ec2:AuthorizeSecurityGroupIngress",
		178 |       "elasticloadbalancing:RegisterTargets",
		179 |       "elasticloadbalancing:DeregisterTargets"
		180 |     ]
		181 |   }
		182 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /ldap_ecs.tf:245-262

		245 | data "aws_iam_policy_document" "ecs_exec" {
		246 |   statement {
		247 |     effect    = "Allow"
		248 |     resources = ["*"]
		249 | 
		250 |     actions = [
		251 |       "ssm:GetParameters",
		252 |       "ecr:GetAuthorizationToken",
		253 |       "ecr:BatchCheckLayerAvailability",
		254 |       "ecr:GetDownloadUrlForLayer",
		255 |       "ecr:BatchGetImage",
		256 |       "logs:CreateLogGroup",
		257 |       "logs:CreateLogStream",
		258 |       "logs:PutLogEvents",
		259 |       "secretsmanager:GetSecretValue"
		260 |     ]
		261 |   }
		262 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /ldap_ecs.tf:113-120
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		113 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		114 |   type                     = "ingress"
		115 |   from_port                = 2049
		116 |   to_port                  = 2049
		117 |   protocol                 = "tcp"
		118 |   source_security_group_id = aws_security_group.ldap_efs.id
		119 |   security_group_id        = aws_security_group.ldap.id
		120 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap
	File: /ldap_ecs.tf:122-125
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		122 | resource "aws_cloudwatch_log_group" "ldap" {
		123 |   name              = "${var.env_name}-ldap-ecs"
		124 |   retention_in_days = 30
		125 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_test
	File: /ldap_ecs.tf:271-274
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		271 | resource "aws_cloudwatch_log_group" "ldap_test" {
		272 |   name              = "/ecs/ldap_${var.env_name}"
		273 |   retention_in_days = 5
		274 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_deployment
	File: /ldap_ecs.tf:33-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		33 | module "s3_bucket_ldap_deployment" {
		34 | 
		35 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		36 | 
		37 |   providers = {
		38 |     aws.bucket-replication = aws.bucket-replication
		39 |   }
		40 |   bucket_prefix      = "${var.env_name}-ldap-deployment-"
		41 |   versioning_enabled = true
		42 | 
		43 |   lifecycle_rule = [
		44 |     {
		45 |       id      = "main"
		46 |       enabled = "Enabled"
		47 |       prefix  = ""
		48 | 
		49 |       tags = {
		50 |         rule      = "log"
		51 |         autoclean = "true"
		52 |       }
		53 | 
		54 |       noncurrent_version_transition = [
		55 |         {
		56 |           days          = 90
		57 |           storage_class = "STANDARD_IA"
		58 |           }, {
		59 |           days          = 365
		60 |           storage_class = "GLACIER"
		61 |         }
		62 |       ]
		63 | 
		64 |       noncurrent_version_expiration = {
		65 |         days = 730
		66 |       }
		67 |     }
		68 |   ]
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: aws_efs_access_point.ldap
	File: /ldap_efs.tf:24-35

		24 | resource "aws_efs_access_point" "ldap" {
		25 |   file_system_id = aws_efs_file_system.ldap.id
		26 |   root_directory {
		27 |     path = "/"
		28 |   }
		29 |   tags = merge(
		30 |     local.tags,
		31 |     {
		32 |       Name = "${var.env_name}-ldap-efs-access-point"
		33 |     }
		34 |   )
		35 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress
	File: /ldap_efs.tf:55-62
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		55 | resource "aws_security_group_rule" "efs_ingress" {
		56 |   type                     = "ingress"
		57 |   from_port                = 2049
		58 |   to_port                  = 2049
		59 |   protocol                 = "tcp"
		60 |   source_security_group_id = aws_security_group.ldap.id
		61 |   security_group_id        = aws_security_group.ldap_efs.id
		62 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group_rule.efs_egress
	File: /ldap_efs.tf:64-71
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		64 | resource "aws_security_group_rule" "efs_egress" {
		65 |   type              = "egress"
		66 |   from_port         = 0
		67 |   to_port           = 0
		68 |   protocol          = "all"
		69 |   cidr_blocks       = [var.account_config.shared_vpc_cidr]
		70 |   security_group_id = aws_security_group.ldap_efs.id
		71 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled.html

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ldap
	File: /ldap_nlb.tf:14-23
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		14 | resource "aws_lb" "ldap" {
		15 |   name                       = local.ldap_nlb_name
		16 |   internal                   = true
		17 |   load_balancer_type         = "network"
		18 |   subnets                    = var.account_config.private_subnet_ids
		19 |   drop_invalid_header_fields = true
		20 |   enable_deletion_protection = false
		21 | 
		22 |   tags = local.ldap_nlb_tags
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /ldap_params.tf:20-30

		20 | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		21 |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		22 |   type  = "SecureString"
		23 |   value = "INITIAL_VALUE_OVERRIDDEN"
		24 |   lifecycle {
		25 |     ignore_changes = [
		26 |       value
		27 |     ]
		28 |   }
		29 |   tags = local.tags
		30 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /ldap_params.tf:32-42

		32 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		33 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		34 |   type  = "SecureString"
		35 |   value = "INITIAL_VALUE_OVERRIDDEN"
		36 |   lifecycle {
		37 |     ignore_changes = [
		38 |       value
		39 |     ]
		40 |   }
		41 |   tags = local.tags
		42 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /ldap_s3.tf:1-91
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ldap_s3.tf:94-133
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		94  | module "s3_bucket_app_deployment" {
		95  | 
		96  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		97  | 
		98  |   bucket_name        = "${var.app_name}-${var.env_name}-openldap-deployment"
		99  |   versioning_enabled = true
		100 | 
		101 |   providers = {
		102 |     aws.bucket-replication = aws.bucket-replication
		103 |   }
		104 | 
		105 |   lifecycle_rule = [
		106 |     {
		107 |       id      = "main"
		108 |       enabled = "Enabled"
		109 |       prefix  = ""
		110 | 
		111 |       tags = {
		112 |         rule      = "log"
		113 |         autoclean = "true"
		114 |       }
		115 | 
		116 |       noncurrent_version_transition = [
		117 |         {
		118 |           days          = 90
		119 |           storage_class = "STANDARD_IA"
		120 |           }, {
		121 |           days          = 365
		122 |           storage_class = "GLACIER"
		123 |         }
		124 |       ]
		125 | 
		126 |       noncurrent_version_expiration = {
		127 |         days = 730
		128 |       }
		129 |     }
		130 |   ]
		131 | 
		132 |   tags = local.tags
		133 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-41

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | 
		41 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:43-54

		43 | resource "aws_ssm_parameter" "oasys_user" {
		44 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		45 |   type  = "SecureString"
		46 |   value = "INITIAL_VALUE_OVERRIDDEN"
		47 |   lifecycle {
		48 |     ignore_changes = [
		49 |       value
		50 |     ]
		51 |   }
		52 |   tags = local.tags
		53 | 
		54 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:56-67

		56 | resource "aws_ssm_parameter" "oasys_password" {
		57 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | 
		67 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:69-80

		69 | resource "aws_ssm_parameter" "iaps_user" {
		70 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		71 |   type  = "SecureString"
		72 |   value = "INITIAL_VALUE_OVERRIDDEN"
		73 |   lifecycle {
		74 |     ignore_changes = [
		75 |       value
		76 |     ]
		77 |   }
		78 |   tags = local.tags
		79 | 
		80 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:82-93

		82 | resource "aws_ssm_parameter" "iaps_user_password" {
		83 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = local.tags
		92 | 
		93 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:95-106

		95  | resource "aws_ssm_parameter" "dss_user" {
		96  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		97  |   type  = "SecureString"
		98  |   value = "INITIAL_VALUE_OVERRIDDEN"
		99  |   lifecycle {
		100 |     ignore_changes = [
		101 |       value
		102 |     ]
		103 |   }
		104 |   tags = local.tags
		105 | 
		106 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:108-119

		108 | resource "aws_ssm_parameter" "dss_user_password" {
		109 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		110 |   type  = "SecureString"
		111 |   value = "INITIAL_VALUE_OVERRIDDEN"
		112 |   lifecycle {
		113 |     ignore_changes = [
		114 |       value
		115 |     ]
		116 |   }
		117 |   tags = local.tags
		118 | 
		119 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:121-132

		121 | resource "aws_ssm_parameter" "casenotes_user" {
		122 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		123 |   type  = "SecureString"
		124 |   value = "INITIAL_VALUE_OVERRIDDEN"
		125 |   lifecycle {
		126 |     ignore_changes = [
		127 |       value
		128 |     ]
		129 |   }
		130 |   tags = local.tags
		131 | 
		132 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:134-144

		134 | resource "aws_ssm_parameter" "casenotes_user_password" {
		135 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		136 |   type  = "SecureString"
		137 |   value = "INITIAL_VALUE_OVERRIDDEN"
		138 |   lifecycle {
		139 |     ignore_changes = [
		140 |       value
		141 |     ]
		142 |   }
		143 |   tags = local.tags
		144 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:146-157

		146 | resource "aws_ssm_parameter" "test_user_password" {
		147 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		148 |   type  = "SecureString"
		149 |   value = "INITIAL_VALUE_OVERRIDDEN"
		150 |   lifecycle {
		151 |     ignore_changes = [
		152 |       value
		153 |     ]
		154 |   }
		155 | 
		156 |   tags = local.tags
		157 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:159-171

		159 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		160 |   name  = format("/%s-%s/gdpr/api/client_secret", var.account_info.application_name, var.env_name)
		161 |   type  = "SecureString"
		162 |   value = "INITIAL_VALUE_OVERRIDDEN"
		163 | 
		164 |   lifecycle {
		165 |     ignore_changes = [
		166 |       value
		167 |     ]
		168 |   }
		169 | 
		170 |   tags = local.tags
		171 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:173-185

		173 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		174 |   name  = format("/%s-%s/pwm/pwm/config_password", var.account_info.application_name, var.env_name)
		175 |   type  = "SecureString"
		176 |   value = "INITIAL_VALUE_OVERRIDDEN"
		177 | 
		178 |   lifecycle {
		179 |     ignore_changes = [
		180 |       value
		181 |     ]
		182 |   }
		183 | 
		184 |   tags = local.tags
		185 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:187-199

		187 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		188 |   name  = format("/%s-%s/merge/api/client_secret", var.account_info.application_name, var.env_name)
		189 |   type  = "SecureString"
		190 |   value = "INITIAL_VALUE_OVERRIDDEN"
		191 | 
		192 |   lifecycle {
		193 |     ignore_changes = [
		194 |       value
		195 |     ]
		196 |   }
		197 | 
		198 |   tags = local.tags
		199 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:201-213

		201 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		202 |   name  = format("/%s-%s/weblogic/ndelius-domain/umt_client_secret", var.account_info.application_name, var.env_name)
		203 |   type  = "SecureString"
		204 |   value = "INITIAL_VALUE_OVERRIDDEN"
		205 | 
		206 |   lifecycle {
		207 |     ignore_changes = [
		208 |       value
		209 |     ]
		210 |   }
		211 | 
		212 |   tags = local.tags
		213 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /weblogic_alb.tf:39-51
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "delius_core_frontend" {
		40 |   # checkov:skip=CKV_AWS_91
		41 |   # checkov:skip=CKV2_AWS_28
		42 | 
		43 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		44 |   internal           = false
		45 |   load_balancer_type = "application"
		46 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		47 |   subnets            = var.account_config.public_subnet_ids
		48 | 
		49 |   enable_deletion_protection = false
		50 |   drop_invalid_header_fields = true
		51 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_url
	File: /weblogic_params.tf:6-16

		6  | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = format("jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN/%s", var.weblogic_config.db_name)
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_jdbc_password
	File: /weblogic_params.tf:18-28

		18 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_jdbc_password" {
		19 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		20 |   type  = "SecureString"
		21 |   value = "INITIAL_VALUE_OVERRIDDEN"
		22 |   tags  = local.tags
		23 |   lifecycle {
		24 |     ignore_changes = [
		25 |       value
		26 |     ]
		27 |   }
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_username
	File: /weblogic_params.tf:37-47

		37 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_username" {
		38 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = local.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_dev_password
	File: /weblogic_params.tf:49-59

		49 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_dev_password" {
		50 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		51 |   type  = "SecureString"
		52 |   value = "INITIAL_VALUE_OVERRIDDEN"
		53 |   lifecycle {
		54 |     ignore_changes = [
		55 |       value
		56 |     ]
		57 |   }
		58 |   tags = local.tags
		59 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_eis_user_context
	File: /weblogic_params.tf:61-71

		61 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_eis_user_context" {
		62 |   name  = format("/%s/%s/EIS_USER_CONTEXT", var.account_info.application_name, var.env_name)
		63 |   type  = "SecureString"
		64 |   value = "INITIAL_VALUE_OVERRIDDEN"
		65 |   lifecycle {
		66 |     ignore_changes = [
		67 |       value
		68 |     ]
		69 |   }
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_user_context
	File: /weblogic_params.tf:73-83

		73 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_user_context" {
		74 |   name  = format("/%s/%s/USER_CONTEXT", var.account_info.application_name, var.env_name)
		75 |   type  = "SecureString"
		76 |   value = "INITIAL_VALUE_OVERRIDDEN"
		77 |   lifecycle {
		78 |     ignore_changes = [
		79 |       value
		80 |     ]
		81 |   }
		82 |   tags = local.tags
		83 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.delius_core_frontend_log_group
	File: /weblogic_service.tf:199-203
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		199 | resource "aws_cloudwatch_log_group" "delius_core_frontend_log_group" {
		200 |   name              = var.weblogic_config.frontend_fully_qualified_name
		201 |   retention_in_days = 7
		202 |   tags              = local.tags
		203 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: weblogic_container
	File: /weblogic_service.tf:1-63
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.delius_core_frontend_env_var_test_mode
	File: /weblogic_params.tf:30-35
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html

		30 | resource "aws_ssm_parameter" "delius_core_frontend_env_var_test_mode" {
		31 |   name  = format("/%s/%s/TEST_MODE", var.account_info.application_name, var.env_name)
		32 |   type  = "String"
		33 |   value = "true"
		34 |   tags  = local.tags
		35 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: module.ebs_volume.aws_ebs_volume.this
	File: /../ebs_volume/main.tf:1-10
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup.html

		1  | resource "aws_ebs_volume" "this" {
		2  |   availability_zone = var.availability_zone
		3  |   type              = var.type
		4  |   iops              = var.iops
		5  |   throughput        = var.throughput
		6  |   size              = var.size
		7  |   encrypted         = true
		8  |   kms_key_id        = var.kms_key_id
		9  |   tags              = var.tags
		10 | }

Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
	FAILED for resource: aws_route53_record.delius-core-db
	File: /db_service.tf:70-78
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html

		70 | resource "aws_route53_record" "delius-core-db" {
		71 |   count    = var.env_name == "dev" ? 1 : 0
		72 |   provider = aws.core-vpc
		73 |   zone_id  = var.account_config.route53_inner_zone_info.zone_id
		74 |   name     = "${var.app_name}-${var.env_name}-${var.delius_db_container_config.fully_qualified_name}.${var.account_config.route53_inner_zone_info.name}"
		75 |   type     = "A"
		76 |   ttl      = 300
		77 |   records  = ["10.26.26.95"]
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_ldap_credential
	File: /ldap_params.tf:2-4

		2 | resource "aws_secretsmanager_secret" "delius_core_ldap_credential" {
		3 |   name = "${var.account_info.application_name}-${var.env_name}-openldap-bind-password"
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.delius_db_security_group
	File: /db_service.tf:80-85
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		80 | resource "aws_security_group" "delius_db_security_group" {
		81 |   name        = format("%s - Delius Core DB", var.env_name)
		82 |   description = "Rules for the delius testing db ecs service"
		83 |   vpc_id      = var.account_config.shared_vpc_id
		84 |   tags        = local.tags
		85 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /ldap_ecs.tf:73-81
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		73 | resource "aws_security_group" "ldap" {
		74 |   name        = "${var.env_name}-ldap-sg"
		75 |   description = "Security group for the ${var.env_name} ldap service"
		76 |   vpc_id      = var.account_info.vpc_id
		77 |   tags        = local.tags
		78 |   lifecycle {
		79 |     create_before_destroy = true
		80 |   }
		81 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.weblogic_service
	File: /weblogic_service.tf:114-122
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		114 | resource "aws_security_group" "weblogic_service" {
		115 |   name        = format("%s - Delius Core Weblogic service", var.env_name)
		116 |   description = "Security group for the ${var.env_name} weblogic service"
		117 |   vpc_id      = var.account_info.vpc_id
		118 |   tags        = local.tags
		119 |   lifecycle {
		120 |     create_before_destroy = true
		121 |   }
		122 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/environment_all_components

*****************************

Running tflint in terraform/environments/delius-core/modules/environment_all_components
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/db_s3.tf line 48:
  48:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 63:
  63:       "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf line 76:
  76:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

jemnery added 3 commits October 12, 2023 08:25

Refactor S3 and add AP landing bucket (no IAM yet)

d47e3f0

Use mod platform S3 module

083af07

Add comment re inconsisent use of S3 module

d5e10a2

jemnery requested review from a team as code owners October 13, 2023 06:28

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 13, 2023

Moved upload bucket from database.tf

a734932

Correct module syntax

f562cd7

Correct S3 module return object syntax

1595cfa

jemnery had a problem deploying to performance-hub-development October 13, 2023 06:43 — with GitHub Actions Failure

Remove description tag (invalid tag value?)

fb1db0b

jemnery temporarily deployed to performance-hub-development October 13, 2023 06:51 — with GitHub Actions Inactive

ToyinOluwanisola approved these changes Oct 13, 2023

View reviewed changes

jemnery merged commit 70a0917 into main Oct 13, 2023
21 of 22 checks passed

jemnery deleted the performance-hub/s3-data-land branch October 13, 2023 07:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Performance hub - s3 landing bucket for AP #3650

Performance hub - s3 landing bucket for AP #3650

jemnery commented Oct 13, 2023 •

edited

Loading

github-actions bot commented Oct 13, 2023

github-actions bot commented Oct 13, 2023

github-actions bot commented Oct 13, 2023

github-actions bot commented Oct 13, 2023

github-actions bot commented Oct 13, 2023

Performance hub - s3 landing bucket for AP #3650

Performance hub - s3 landing bucket for AP #3650

Conversation

jemnery commented Oct 13, 2023 • edited Loading

github-actions bot commented Oct 13, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Oct 13, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Oct 13, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Oct 13, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

github-actions bot commented Oct 13, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

jemnery commented Oct 13, 2023 •

edited

Loading

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed