Bump actions/checkout from 4.1.0 to 4.1.1 #3710

dependabot · 2023-10-18T00:22:37Z

Bumps actions/checkout from 4.1.0 to 4.1.1.

Release notes

Sourced from actions/checkout's releases.

v4.1.1

What's Changed

Update CODEOWNERS to Launch team by @joshmgross in actions/checkout#1510

Correct link to GitHub Docs by @peterbe in actions/checkout#1511

Link to release page from what's new section by @cory-miller in actions/checkout#1514

New Contributors

@joshmgross made their first contribution in actions/checkout#1510

@peterbe made their first contribution in actions/checkout#1511

Full Changelog: actions/checkout@v4...v4.1.1

Commits

b4ffde6 Link to release page from what's new section (#1514)
8530928 Correct link to GitHub Docs (#1511)
7cdaf2f Update CODEOWNERS to Launch team (#1510)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8ade135...b4ffde6) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2023-10-18T00:26:22Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/pra-register

*****************************

Running TFSEC in terraform/environments/pra-register
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:227
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  227  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Results #2-7 CRITICAL Security group rule allows ingress from public internet. (6 similar results)
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:35-51
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   35  ┌     cidr_blocks = [
   36  │       "201.33.21.5/32",
   37  │       "213.121.161.124/32",
   38  │       "157.203.176.0/25",
   39  │       "194.33.196.0/25",
   40  │       "93.56.171.15/32",
   41  └       "195.59.75.0/24",
   ..  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - load_balancer.tf:1-69 (aws_security_group.pra_lb_sc) 6 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #8 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:59
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   59  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #9 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:67
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   67  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   69    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #10 CRITICAL Instance is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_db_instance" "pra_db" {
    .  
   12  [   publicly_accessible         = true (true)
   ..  
   16    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-no-public-db-access
      Impact The database instance is publicly accessible
  Resolution Set the database to not be publicly accessible

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/no-public-db-access/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #11 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:41
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   41  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #12 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:76
────────────────────────────────────────────────────────────────────────────────
   45    resource "aws_security_group" "postgresql_db_sc" {
   ..  
   76  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   79    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:144-151
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  144  ┌            "Action": [
  145  │               "ecr:*",
  146  │               "logs:CreateLogGroup",
  147  │               "logs:CreateLogStream",
  148  │               "logs:PutLogEvents",
  149  │               "logs:DescribeLogStreams",
  150  └               "secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:152
────────────────────────────────────────────────────────────────────────────────
  135    resource "aws_iam_role_policy" "app_execution" {
  ...  
  152  [            "Resource": "*",
  ...  
  158    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #15-17 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:197-203
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  197  ┌         "Action": [
  198  │           "logs:CreateLogStream",
  199  │           "logs:PutLogEvents",
  200  │           "ecr:*",
  201  │           "iam:*",
  202  │           "ec2:*"
  203  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:187-209 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #18 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204
────────────────────────────────────────────────────────────────────────────────
  187    resource "aws_iam_role_policy" "app_task" {
  ...  
  204  [        "Resource": "*"
  ...  
  209    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #19 HIGH Image scanning is not enabled. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enable-image-scans
      Impact The ability to scan images is not being used and vulnerabilities will not be highlighted
  Resolution Enable ECR image scanning

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enable-image-scans/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
────────────────────────────────────────────────────────────────────────────────


Result #20 HIGH Repository tags are mutable. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-enforce-immutable-repository
      Impact Image tags could be overwritten with compromised images
  Resolution Only use immutable images in ECR

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/enforce-immutable-repository/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
────────────────────────────────────────────────────────────────────────────────


Result #21 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:126-134
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132      internal                   = false
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #22 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:132
────────────────────────────────────────────────────────────────────────────────
  126    resource "aws_lb" "pra_lb" {
  127      name                       = "pra-load-balancer"
  128      load_balancer_type         = "application"
  129      security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
  130      subnets                    = data.aws_subnets.shared-public.ids
  131      enable_deletion_protection = false
  132  [   internal                   = false (false)
  133      depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
  134    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #23 HIGH Instance does not have storage encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-encrypt-instance-storage-data
      Impact Data can be read from RDS instances if compromised
  Resolution Enable encryption for RDS instances

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/encrypt-instance-storage-data/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
────────────────────────────────────────────────────────────────────────────────


Result #24 HIGH Instance has Public Access enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:12
────────────────────────────────────────────────────────────────────────────────
   12      publicly_accessible         = true
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0180
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #25 MEDIUM Instance has very low backup retention period. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-specify-backup-retention
      Impact Potential loss of data and short opportunity for recovery
  Resolution Explicitly set the retention period to greater than the default

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/specify-backup-retention/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period
────────────────────────────────────────────────────────────────────────────────


Result #26 MEDIUM Instance does not have Deletion Protection enabled 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
  Rego Package builtin.aws.rds.aws0177
     Rego Rule deny
────────────────────────────────────────────────────────────────────────────────


Result #27 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:211-229
────────────────────────────────────────────────────────────────────────────────
  211  ┌ resource "aws_security_group" "ecs_service" {
  212  │   name_prefix = "ecs-service-sg-"
  213  │   vpc_id      = data.aws_vpc.shared.id
  214  │ 
  215  │   ingress {
  216  │     from_port       = 80
  217  │     to_port         = 80
  218  │     protocol        = "tcp"
  219  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #28 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:223-228
────────────────────────────────────────────────────────────────────────────────
  211    resource "aws_security_group" "ecs_service" {
  ...  
  223  ┌   egress {
  224  │     from_port   = 0
  225  │     to_port     = 0
  226  │     protocol    = "-1"
  227  │     cidr_blocks = ["0.0.0.0/0"]
  228  └   }
  229    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #29 LOW Repository is not encrypted using KMS. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:231-234
────────────────────────────────────────────────────────────────────────────────
  231    resource "aws_ecr_repository" "pra_ecr_repo" {
  232      name         = "pra-ecr-repo"
  233      force_delete = true
  234    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ecr-repository-customer-key
      Impact Using AWS managed keys does not allow for fine grained control
  Resolution Use customer managed keys

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ecr/repository-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration
────────────────────────────────────────────────────────────────────────────────


Result #30 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:9-12
────────────────────────────────────────────────────────────────────────────────
    9    resource "aws_cloudwatch_log_group" "deployment_logs" {
   10      name              = "/aws/events/deploymentLogs"
   11      retention_in_days = "7"
   12    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #31 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:31-52
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "pra_lb_sc" {
    .  
   31  ┌   ingress {
   32  │     from_port = 443
   33  │     to_port   = 443
   34  │     protocol  = "tcp"
   35  │     cidr_blocks = [
   36  │       "201.33.21.5/32",
   37  └       "213.121.161.124/32",
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #32 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  load_balancer.tf:77-122
────────────────────────────────────────────────────────────────────────────────
   71    resource "aws_security_group" "lb_sc_pingdom" {
   72      name        = "load balancer Pingdom security group"
   73      description = "control Pingdom access to the load balancer"
   74      vpc_id      = data.aws_vpc.shared.id
   75    
   76      // Allow all European Pingdom IP addresses
   77  ┌   ingress {
   78  │     from_port = 443
   79  └     to_port   = 443
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #33 LOW Instance does not have performance insights enabled. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:1-16
────────────────────────────────────────────────────────────────────────────────
    1  ┌ resource "aws_db_instance" "pra_db" {
    2  │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
    3  │   db_name                     = local.application_data.accounts[local.environment].db_name
    4  │   storage_type                = local.application_data.accounts[local.environment].storage_type
    5  │   engine                      = local.application_data.accounts[local.environment].engine
    6  │   identifier                  = local.application_data.accounts[local.environment].identifier
    7  │   engine_version              = local.application_data.accounts[local.environment].engine_version
    8  │   instance_class              = local.application_data.accounts[local.environment].instance_class
    9  └   username                    = local.application_data.accounts[local.environment].db_username
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-rds-enable-performance-insights
      Impact Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
  Resolution Enable performance insights

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/rds/enable-performance-insights/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #34 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  rds.tf:37-42
────────────────────────────────────────────────────────────────────────────────
   24    resource "aws_security_group" "modernisation_pra_access" {
   ..  
   37  ┌   egress {
   38  │     from_port   = 0
   39  │     to_port     = 0
   40  │     protocol    = "-1"
   41  │     cidr_blocks = ["0.0.0.0/0"]
   42  └   }
   43    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             1.065708ms
  parsing              25.554011ms
  adaptation           1.339406ms
  checks               63.186076ms
  total                91.145201ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     85
  files read           15

  results
  ──────────────────────────────────────────
  passed               38
  ignored              1
  critical             12
  high                 12
  medium               2
  low                  8

  38 passed, 1 ignored, 34 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/pra-register

*****************************

Running Checkov in terraform/environments/pra-register
terraform scan results:

Passed checks: 65, Failed checks: 38, Skipped checks: 0

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.pra_task_definition
	File: /ecs.tf:14-76

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.pra_ecs_service
	File: /ecs.tf:78-106

		78  | resource "aws_ecs_service" "pra_ecs_service" {
		79  |   depends_on = [
		80  |     aws_lb_listener.pra_lb
		81  |   ]
		82  | 
		83  |   name                              = var.networking[0].application
		84  |   cluster                           = aws_ecs_cluster.pra_cluster.id
		85  |   task_definition                   = aws_ecs_task_definition.pra_task_definition.arn
		86  |   launch_type                       = "FARGATE"
		87  |   enable_execute_command            = true
		88  |   desired_count                     = 2
		89  |   health_check_grace_period_seconds = 180
		90  | 
		91  |   network_configuration {
		92  |     subnets          = data.aws_subnets.shared-public.ids
		93  |     security_groups  = [aws_security_group.ecs_service.id]
		94  |     assign_public_ip = true
		95  |   }
		96  | 
		97  |   load_balancer {
		98  |     target_group_arn = aws_lb_target_group.pra_target_group.arn
		99  |     container_name   = "pra-container"
		100 |     container_port   = 80
		101 |   }
		102 | 
		103 |   deployment_controller {
		104 |     type = "ECS"
		105 |   }
		106 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:135-158

		135 | resource "aws_iam_role_policy" "app_execution" {
		136 |   name = "execution-${var.networking[0].application}"
		137 |   role = aws_iam_role.app_execution.id
		138 | 
		139 |   policy = <<-EOF
		140 |   {
		141 |     "Version": "2012-10-17",
		142 |     "Statement": [
		143 |       {
		144 |            "Action": [
		145 |               "ecr:*",
		146 |               "logs:CreateLogGroup",
		147 |               "logs:CreateLogStream",
		148 |               "logs:PutLogEvents",
		149 |               "logs:DescribeLogStreams",
		150 |               "secretsmanager:GetSecretValue"
		151 |            ],
		152 |            "Resource": "*",
		153 |            "Effect": "Allow"
		154 |       }
		155 |     ]
		156 |   }
		157 |   EOF
		158 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:211-229
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		211 | resource "aws_security_group" "ecs_service" {
		212 |   name_prefix = "ecs-service-sg-"
		213 |   vpc_id      = data.aws_vpc.shared.id
		214 | 
		215 |   ingress {
		216 |     from_port       = 80
		217 |     to_port         = 80
		218 |     protocol        = "tcp"
		219 |     description     = "Allow traffic on port 80 from load balancer"
		220 |     security_groups = [aws_security_group.pra_lb_sc.id]
		221 |   }
		222 | 
		223 |   egress {
		224 |     from_port   = 0
		225 |     to_port     = 0
		226 |     protocol    = "-1"
		227 |     cidr_blocks = ["0.0.0.0/0"]
		228 |   }
		229 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-8.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.pra_ecr_repo
	File: /ecs.tf:231-234
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html

		231 | resource "aws_ecr_repository" "pra_ecr_repo" {
		232 |   name         = "pra-ecr-repo"
		233 |   force_delete = true
		234 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.pra_lb_sc
	File: /load_balancer.tf:1-69
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.lb_sc_pingdom
	File: /load_balancer.tf:71-123
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.pra_target_group
	File: /load_balancer.tf:136-158
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks.html

		136 | resource "aws_lb_target_group" "pra_target_group" {
		137 |   name                 = "pra-target-group"
		138 |   port                 = 80
		139 |   protocol             = "HTTP"
		140 |   vpc_id               = data.aws_vpc.shared.id
		141 |   target_type          = "ip"
		142 |   deregistration_delay = 30
		143 | 
		144 |   stickiness {
		145 |     type = "lb_cookie"
		146 |   }
		147 | 
		148 |   health_check {
		149 |     healthy_threshold   = "3"
		150 |     interval            = "30"
		151 |     protocol            = "HTTP"
		152 |     port                = "80"
		153 |     unhealthy_threshold = "5"
		154 |     matcher             = "200-302"
		155 |     timeout             = "10"
		156 |   }
		157 | 
		158 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-73.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/public-policies/public-2.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-4.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically.html

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.pra_db
	File: /rds.tf:1-16

		1  | resource "aws_db_instance" "pra_db" {
		2  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		3  |   db_name                     = local.application_data.accounts[local.environment].db_name
		4  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		5  |   engine                      = local.application_data.accounts[local.environment].engine
		6  |   identifier                  = local.application_data.accounts[local.environment].identifier
		7  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		8  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		9  |   username                    = local.application_data.accounts[local.environment].db_username
		10 |   password                    = random_password.password.result
		11 |   skip_final_snapshot         = true
		12 |   publicly_accessible         = true
		13 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
		14 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		15 |   allow_major_version_upgrade = true
		16 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:11-14

		11 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		12 |   name                    = "rds-password"
		13 |   recovery_window_in_days = 0
		14 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.pra_lb
	File: /load_balancer.tf:126-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf.html

		126 | resource "aws_lb" "pra_lb" {
		127 |   name                       = "pra-load-balancer"
		128 |   load_balancer_type         = "application"
		129 |   security_groups            = [aws_security_group.pra_lb_sc.id, aws_security_group.lb_sc_pingdom.id]
		130 |   subnets                    = data.aws_subnets.shared-public.ids
		131 |   enable_deletion_protection = false
		132 |   internal                   = false
		133 |   depends_on                 = [aws_security_group.pra_lb_sc, aws_security_group.lb_sc_pingdom]
		134 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.modernisation_pra_access
	File: /rds.tf:24-43
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html

		24 | resource "aws_security_group" "modernisation_pra_access" {
		25 |   provider    = aws.tacticalproducts
		26 |   name        = "modernisation_pra_access-${local.environment}"
		27 |   description = "Allow pra on modernisation platform to access the source database"
		28 | 
		29 |   ingress {
		30 |     from_port   = 5432
		31 |     to_port     = 5432
		32 |     protocol    = "tcp"
		33 |     description = "Allow pra on modernisation platform to connect to source database"
		34 |     cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
		35 |   }
		36 | 
		37 |   egress {
		38 |     from_port   = 0
		39 |     to_port     = 0
		40 |     protocol    = "-1"
		41 |     cidr_blocks = ["0.0.0.0/0"]
		42 |   }
		43 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:187-209

		187 | resource "aws_iam_role_policy" "app_task" {
		188 |   name = "task-${var.networking[0].application}"
		189 |   role = aws_iam_role.app_task.id
		190 | 
		191 |   policy = <<-EOF
		192 |   {
		193 |    "Version": "2012-10-17",
		194 |    "Statement": [
		195 |      {
		196 |        "Effect": "Allow",
		197 |         "Action": [
		198 |           "logs:CreateLogStream",
		199 |           "logs:PutLogEvents",
		200 |           "ecr:*",
		201 |           "iam:*",
		202 |           "ec2:*"
		203 |         ],
		204 |        "Resource": "*"
		205 |      }
		206 |    ]
		207 |   }
		208 |   EOF
		209 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/pra-register

*****************************

Running tflint in terraform/environments/pra-register
Excluding the following checks: terraform_unused_declarations
13 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 39:
  39:           value = "${aws_db_instance.pra_db.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 43:
  43:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 47:
  47:           value = "${aws_db_instance.pra_db.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 51:
  51:           value = "${aws_db_instance.pra_db.password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 55:
  55:           value = "${aws_db_instance.pra_db.db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 59:
  59:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 63:
  63:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/ecs.tf line 67:
  67:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 104:
 104:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "null" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/rds.tf line 109:
 109: resource "null_resource" "setup_source_rds_security_group" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/rds.tf line 122:
 122:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in "required_providers" (terraform_required_providers)

  on terraform/environments/pra-register/secrets.tf line 2:
   2: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_required_providers.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/pra-register/secrets.tf line 18:
  18:   secret_string = jsonencode({ "PRA_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

dependabot bot requested a review from a team as a code owner October 18, 2023 00:22

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 18, 2023

dms1981 approved these changes Oct 18, 2023

View reviewed changes

dms1981 merged commit c72517c into main Oct 18, 2023
9 of 11 checks passed

dms1981 deleted the dependabot/github_actions/actions/checkout-4.1.1 branch October 18, 2023 08:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump actions/checkout from 4.1.0 to 4.1.1 #3710

Bump actions/checkout from 4.1.0 to 4.1.1 #3710

dependabot bot commented on behalf of github Oct 18, 2023

github-actions bot commented Oct 18, 2023

Bump actions/checkout from 4.1.0 to 4.1.1 #3710

Bump actions/checkout from 4.1.0 to 4.1.1 #3710

Conversation

dependabot bot commented on behalf of github Oct 18, 2023

v4.1.1

What's Changed

New Contributors

github-actions bot commented Oct 18, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Failed

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Failed