Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CC-2254: Added a swap volume to EBS DB in the Upgrade environment. #4259

Merged
merged 2 commits into from
Dec 7, 2023

Conversation

mmgovuk
Copy link
Contributor

@mmgovuk mmgovuk commented Dec 7, 2023

Added a swap volume to EBS DB in the Upgrade environment.

@mmgovuk mmgovuk requested a review from SahidKhan89 December 7, 2023 11:11
@mmgovuk mmgovuk self-assigned this Dec 7, 2023
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 7, 2023
Copy link
Contributor

github-actions bot commented Dec 7, 2023

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running TFSEC in terraform/environments/cdpt-chaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_security_group" "ecs_service" {
  ...  
  200  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  202    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:11
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   11  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:19
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   19  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #4 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:27
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #5 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   35  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #6 CRITICAL Listener for application load balancer does not use HTTPS. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:76
────────────────────────────────────────────────────────────────────────────────
   73    resource "aws_lb_listener" "listener" {
   74      load_balancer_arn = aws_lb.chaps_lb.arn
   75      port              = 80
   76  [   protocol          = "HTTP" ("HTTP")
   77    
   78      default_action {
   79        target_group_arn = aws_lb_target_group.chaps_target_group.id
   80        type             = "forward"
   81      }
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-http-not-used
      Impact Your traffic is not protected
  Resolution Switch to HTTPS to benefit from TLS security features

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/http-not-used/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:117-124
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_iam_role_policy" "app_execution" {
  ...  
  117"Action": [
  118"ecr:*",
  119"logs:CreateLogGroup",
  120"logs:CreateLogStream",
  121"logs:PutLogEvents",
  122"logs:DescribeLogStreams",
  123"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #8 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:125
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_iam_role_policy" "app_execution" {
  ...  
  125  [            "Resource": "*",
  ...  
  131    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-11 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:170-176
────────────────────────────────────────────────────────────────────────────────
  160    resource "aws_iam_role_policy" "app_task" {
  ...  
  170"Action": [
  171"logs:CreateLogStream",
  172"logs:PutLogEvents",
  173"ecr:*",
  174"iam:*",
  175"ec2:*"
  176  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:160-182 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:177
────────────────────────────────────────────────────────────────────────────────
  160    resource "aws_iam_role_policy" "app_task" {
  ...  
  177  [        "Resource": "*"
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:39-47
────────────────────────────────────────────────────────────────────────────────
   39    resource "aws_lb" "chaps_lb" {
   40      name                       = "chaps-load-balancer"
   41      load_balancer_type         = "application"
   42      security_groups            = [aws_security_group.chaps_lb_sc.id]
   43      subnets                    = data.aws_subnets.shared-public.ids
   44      enable_deletion_protection = false
   45      internal                   = false
   46      depends_on                 = [aws_security_group.chaps_lb_sc]
   47    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:45
────────────────────────────────────────────────────────────────────────────────
   39    resource "aws_lb" "chaps_lb" {
   40      name                       = "chaps-load-balancer"
   41      load_balancer_type         = "application"
   42      security_groups            = [aws_security_group.chaps_lb_sc.id]
   43      subnets                    = data.aws_subnets.shared-public.ids
   44      enable_deletion_protection = false
   45  [   internal                   = false (false)
   46      depends_on                 = [aws_security_group.chaps_lb_sc]
   47    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #15 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:14-17
────────────────────────────────────────────────────────────────────────────────
   14    resource "aws_cloudwatch_log_group" "deployment_logs" {
   15      name              = "/aws/events/deploymentLogs"
   16      retention_in_days = "7"
   17    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #16 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:184-202
────────────────────────────────────────────────────────────────────────────────
  184  ┌ resource "aws_security_group" "ecs_service" {
  185  │   name_prefix = "ecs-service-sg-"
  186  │   vpc_id      = data.aws_vpc.shared.id
  187188  │   ingress {
  189  │     from_port       = 80
  190  │     to_port         = 80
  191  │     protocol        = "tcp"
  192  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #17 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:196-201
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_security_group" "ecs_service" {
  ...  
  196  ┌   egress {
  197  │     from_port   = 0
  198  │     to_port     = 0
  199  │     protocol    = "-1"
  200  │     cidr_blocks = ["0.0.0.0/0"]
  201  └   }
  202    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             322.692µs
  parsing              7.009583ms
  adaptation           368.447µs
  checks               3.760453ms
  total                11.461175ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     65
  files read           14

  results
  ──────────────────────────────────────────
  passed               19
  ignored              0
  critical             6
  high                 8
  medium               0
  low                  3

  19 passed, 17 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
terraform scan results:

Passed checks: 43, Failed checks: 23, Skipped checks: 0

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		15 |   name              = "/aws/events/deploymentLogs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:19-49

		19 | resource "aws_ecs_task_definition" "chaps_task_definition" {
		20 |   family                   = "chapsFamily"
		21 |   requires_compatibilities = ["FARGATE"]
		22 |   network_mode             = "awsvpc"
		23 |   execution_role_arn       = aws_iam_role.app_execution.arn
		24 |   task_role_arn            = aws_iam_role.app_task.arn
		25 |   cpu                      = 1024
		26 |   memory                   = 2048
		27 |   container_definitions = jsonencode([
		28 |     {
		29 |       name      = local.application_name
		30 |       image     = "${local.ecr_url}:${local.application_data.accounts[local.environment].docker_image_tag}"
		31 |       cpu       = 1024
		32 |       memory    = 2048
		33 |       essential = true
		34 |       portMappings = [
		35 |         {
		36 |           containerPort = 80
		37 |           protocol      = "tcp"
		38 |           hostPort      = 80
		39 |         }
		40 |       ]
		41 |       environment = [
		42 |       ]
		43 |     }
		44 |   ])
		45 |   runtime_platform {
		46 |     operating_system_family = "WINDOWS_SERVER_2019_CORE"
		47 |     cpu_architecture        = "X86_64"
		48 |   }
		49 | }

Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.ecs_service
	File: /ecs.tf:51-79

		51 | resource "aws_ecs_service" "ecs_service" {
		52 |   depends_on = [
		53 |     aws_lb_listener.listener
		54 |   ]
		55 | 
		56 |   name                              = var.networking[0].application
		57 |   cluster                           = aws_ecs_cluster.ecs_cluster.id
		58 |   task_definition                   = aws_ecs_task_definition.chaps_task_definition.arn
		59 |   launch_type                       = "FARGATE"
		60 |   enable_execute_command            = true
		61 |   desired_count                     = 2
		62 |   health_check_grace_period_seconds = 180
		63 | 
		64 |   network_configuration {
		65 |     subnets          = data.aws_subnets.shared-public.ids
		66 |     security_groups  = [aws_security_group.ecs_service.id]
		67 |     assign_public_ip = true
		68 |   }
		69 | 
		70 |   load_balancer {
		71 |     target_group_arn = aws_lb_target_group.chaps_target_group.arn
		72 |     container_name   = local.application_name
		73 |     container_port   = 80
		74 |   }
		75 | 
		76 |   deployment_controller {
		77 |     type = "ECS"
		78 |   }
		79 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:108-131

		108 | resource "aws_iam_role_policy" "app_execution" {
		109 |   name = "execution-${var.networking[0].application}"
		110 |   role = aws_iam_role.app_execution.id
		111 | 
		112 |   policy = <<-EOF
		113 |   {
		114 |     "Version": "2012-10-17",
		115 |     "Statement": [
		116 |       {
		117 |            "Action": [
		118 |               "ecr:*",
		119 |               "logs:CreateLogGroup",
		120 |               "logs:CreateLogStream",
		121 |               "logs:PutLogEvents",
		122 |               "logs:DescribeLogStreams",
		123 |               "secretsmanager:GetSecretValue"
		124 |            ],
		125 |            "Resource": "*",
		126 |            "Effect": "Allow"
		127 |       }
		128 |     ]
		129 |   }
		130 |   EOF
		131 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:108-131

		108 | resource "aws_iam_role_policy" "app_execution" {
		109 |   name = "execution-${var.networking[0].application}"
		110 |   role = aws_iam_role.app_execution.id
		111 | 
		112 |   policy = <<-EOF
		113 |   {
		114 |     "Version": "2012-10-17",
		115 |     "Statement": [
		116 |       {
		117 |            "Action": [
		118 |               "ecr:*",
		119 |               "logs:CreateLogGroup",
		120 |               "logs:CreateLogStream",
		121 |               "logs:PutLogEvents",
		122 |               "logs:DescribeLogStreams",
		123 |               "secretsmanager:GetSecretValue"
		124 |            ],
		125 |            "Resource": "*",
		126 |            "Effect": "Allow"
		127 |       }
		128 |     ]
		129 |   }
		130 |   EOF
		131 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:108-131

		108 | resource "aws_iam_role_policy" "app_execution" {
		109 |   name = "execution-${var.networking[0].application}"
		110 |   role = aws_iam_role.app_execution.id
		111 | 
		112 |   policy = <<-EOF
		113 |   {
		114 |     "Version": "2012-10-17",
		115 |     "Statement": [
		116 |       {
		117 |            "Action": [
		118 |               "ecr:*",
		119 |               "logs:CreateLogGroup",
		120 |               "logs:CreateLogStream",
		121 |               "logs:PutLogEvents",
		122 |               "logs:DescribeLogStreams",
		123 |               "secretsmanager:GetSecretValue"
		124 |            ],
		125 |            "Resource": "*",
		126 |            "Effect": "Allow"
		127 |       }
		128 |     ]
		129 |   }
		130 |   EOF
		131 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:108-131

		108 | resource "aws_iam_role_policy" "app_execution" {
		109 |   name = "execution-${var.networking[0].application}"
		110 |   role = aws_iam_role.app_execution.id
		111 | 
		112 |   policy = <<-EOF
		113 |   {
		114 |     "Version": "2012-10-17",
		115 |     "Statement": [
		116 |       {
		117 |            "Action": [
		118 |               "ecr:*",
		119 |               "logs:CreateLogGroup",
		120 |               "logs:CreateLogStream",
		121 |               "logs:PutLogEvents",
		122 |               "logs:DescribeLogStreams",
		123 |               "secretsmanager:GetSecretValue"
		124 |            ],
		125 |            "Resource": "*",
		126 |            "Effect": "Allow"
		127 |       }
		128 |     ]
		129 |   }
		130 |   EOF
		131 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:184-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		184 | resource "aws_security_group" "ecs_service" {
		185 |   name_prefix = "ecs-service-sg-"
		186 |   vpc_id      = data.aws_vpc.shared.id
		187 | 
		188 |   ingress {
		189 |     from_port       = 80
		190 |     to_port         = 80
		191 |     protocol        = "tcp"
		192 |     description     = "Allow traffic on port 80 from load balancer"
		193 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		194 |   }
		195 | 
		196 |   egress {
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:1-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "chaps_lb_sc" {
		2  |   name        = "load balancer security group"
		3  |   description = "control access to the load balancer"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  | 
		6  |   ingress {
		7  |     description = "allow access on HTTP"
		8  |     from_port   = 80
		9  |     to_port     = 80
		10 |     protocol    = "tcp"
		11 |     cidr_blocks = ["0.0.0.0/0"]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description = "allow access on HTTPS"
		16 |     from_port   = 443
		17 |     to_port     = 443
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     description = "allow all outbound traffic for port 80"
		24 |     from_port   = 80
		25 |     to_port     = 80
		26 |     protocol    = "tcp"
		27 |     cidr_blocks = ["0.0.0.0/0"]
		28 |   }
		29 | 
		30 |   egress {
		31 |     description = "allow all outbound traffic for port 443"
		32 |     from_port   = 443
		33 |     to_port     = 443
		34 |     protocol    = "tcp"
		35 |     cidr_blocks = ["0.0.0.0/0"]
		36 |   }
		37 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:49-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		49 | resource "aws_lb_target_group" "chaps_target_group" {
		50 |   name                 = "chaps-target-group"
		51 |   port                 = 80
		52 |   protocol             = "HTTP"
		53 |   vpc_id               = data.aws_vpc.shared.id
		54 |   target_type          = "ip"
		55 |   deregistration_delay = 30
		56 | 
		57 |   stickiness {
		58 |     type = "lb_cookie"
		59 |   }
		60 | 
		61 |   health_check {
		62 |     healthy_threshold   = "3"
		63 |     interval            = "30"
		64 |     protocol            = "HTTP"
		65 |     port                = "80"
		66 |     unhealthy_threshold = "5"
		67 |     matcher             = "200-302"
		68 |     timeout             = "10"
		69 |   }
		70 | 
		71 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:73-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		73 | resource "aws_lb_listener" "listener" {
		74 |   load_balancer_arn = aws_lb.chaps_lb.arn
		75 |   port              = 80
		76 |   protocol          = "HTTP"
		77 | 
		78 |   default_action {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		80 |     type             = "forward"
		81 |   }
		82 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:73-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		73 | resource "aws_lb_listener" "listener" {
		74 |   load_balancer_arn = aws_lb.chaps_lb.arn
		75 |   port              = 80
		76 |   protocol          = "HTTP"
		77 | 
		78 |   default_action {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		80 |     type             = "forward"
		81 |   }
		82 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

@mmgovuk mmgovuk temporarily deployed to ccms-ebs-upgrade-development December 7, 2023 11:17 — with GitHub Actions Inactive
Copy link
Contributor

github-actions bot commented Dec 7, 2023

TFSEC Scan Failed

Show Output
*****************************

TFSEC will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running TFSEC in terraform/environments/cdpt-chaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_security_group" "ecs_service" {
  ...  
  200  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  202    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:11
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   11  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:19
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   19  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #4 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:27
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #5 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   35  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #6 CRITICAL Listener for application load balancer does not use HTTPS. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:76
────────────────────────────────────────────────────────────────────────────────
   73    resource "aws_lb_listener" "listener" {
   74      load_balancer_arn = aws_lb.chaps_lb.arn
   75      port              = 80
   76  [   protocol          = "HTTP" ("HTTP")
   77    
   78      default_action {
   79        target_group_arn = aws_lb_target_group.chaps_target_group.id
   80        type             = "forward"
   81      }
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-http-not-used
      Impact Your traffic is not protected
  Resolution Switch to HTTPS to benefit from TLS security features

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/http-not-used/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:117-124
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_iam_role_policy" "app_execution" {
  ...  
  117"Action": [
  118"ecr:*",
  119"logs:CreateLogGroup",
  120"logs:CreateLogStream",
  121"logs:PutLogEvents",
  122"logs:DescribeLogStreams",
  123"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #8 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:125
────────────────────────────────────────────────────────────────────────────────
  108    resource "aws_iam_role_policy" "app_execution" {
  ...  
  125  [            "Resource": "*",
  ...  
  131    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-11 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:170-176
────────────────────────────────────────────────────────────────────────────────
  160    resource "aws_iam_role_policy" "app_task" {
  ...  
  170"Action": [
  171"logs:CreateLogStream",
  172"logs:PutLogEvents",
  173"ecr:*",
  174"iam:*",
  175"ec2:*"
  176  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:160-182 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:177
────────────────────────────────────────────────────────────────────────────────
  160    resource "aws_iam_role_policy" "app_task" {
  ...  
  177  [        "Resource": "*"
  ...  
  182    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:39-47
────────────────────────────────────────────────────────────────────────────────
   39    resource "aws_lb" "chaps_lb" {
   40      name                       = "chaps-load-balancer"
   41      load_balancer_type         = "application"
   42      security_groups            = [aws_security_group.chaps_lb_sc.id]
   43      subnets                    = data.aws_subnets.shared-public.ids
   44      enable_deletion_protection = false
   45      internal                   = false
   46      depends_on                 = [aws_security_group.chaps_lb_sc]
   47    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:45
────────────────────────────────────────────────────────────────────────────────
   39    resource "aws_lb" "chaps_lb" {
   40      name                       = "chaps-load-balancer"
   41      load_balancer_type         = "application"
   42      security_groups            = [aws_security_group.chaps_lb_sc.id]
   43      subnets                    = data.aws_subnets.shared-public.ids
   44      enable_deletion_protection = false
   45  [   internal                   = false (false)
   46      depends_on                 = [aws_security_group.chaps_lb_sc]
   47    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #15 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:14-17
────────────────────────────────────────────────────────────────────────────────
   14    resource "aws_cloudwatch_log_group" "deployment_logs" {
   15      name              = "/aws/events/deploymentLogs"
   16      retention_in_days = "7"
   17    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #16 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:184-202
────────────────────────────────────────────────────────────────────────────────
  184  ┌ resource "aws_security_group" "ecs_service" {
  185  │   name_prefix = "ecs-service-sg-"
  186  │   vpc_id      = data.aws_vpc.shared.id
  187188  │   ingress {
  189  │     from_port       = 80
  190  │     to_port         = 80
  191  │     protocol        = "tcp"
  192  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #17 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:196-201
────────────────────────────────────────────────────────────────────────────────
  184    resource "aws_security_group" "ecs_service" {
  ...  
  196  ┌   egress {
  197  │     from_port   = 0
  198  │     to_port     = 0
  199  │     protocol    = "-1"
  200  │     cidr_blocks = ["0.0.0.0/0"]
  201  └   }
  202    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             2.05087ms
  parsing              11.251127ms
  adaptation           564.56µs
  checks               10.728186ms
  total                24.594743ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     65
  files read           14

  results
  ──────────────────────────────────────────
  passed               19
  ignored              0
  critical             6
  high                 8
  medium               0
  low                  3

  19 passed, 17 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output
*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
terraform scan results:

Passed checks: 43, Failed checks: 23, Skipped checks: 0

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		15 |   name              = "/aws/events/deploymentLogs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:19-49

		19 | resource "aws_ecs_task_definition" "chaps_task_definition" {
		20 |   family                   = "chapsFamily"
		21 |   requires_compatibilities = ["FARGATE"]
		22 |   network_mode             = "awsvpc"
		23 |   execution_role_arn       = aws_iam_role.app_execution.arn
		24 |   task_role_arn            = aws_iam_role.app_task.arn
		25 |   cpu                      = 1024
		26 |   memory                   = 2048
		27 |   container_definitions = jsonencode([
		28 |     {
		29 |       name      = local.application_name
		30 |       image     = "${local.ecr_url}:${local.application_data.accounts[local.environment].docker_image_tag}"
		31 |       cpu       = 1024
		32 |       memory    = 2048
		33 |       essential = true
		34 |       portMappings = [
		35 |         {
		36 |           containerPort = 80
		37 |           protocol      = "tcp"
		38 |           hostPort      = 80
		39 |         }
		40 |       ]
		41 |       environment = [
		42 |       ]
		43 |     }
		44 |   ])
		45 |   runtime_platform {
		46 |     operating_system_family = "WINDOWS_SERVER_2019_CORE"
		47 |     cpu_architecture        = "X86_64"
		48 |   }
		49 | }

Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.ecs_service
	File: /ecs.tf:51-79

		51 | resource "aws_ecs_service" "ecs_service" {
		52 |   depends_on = [
		53 |     aws_lb_listener.listener
		54 |   ]
		55 | 
		56 |   name                              = var.networking[0].application
		57 |   cluster                           = aws_ecs_cluster.ecs_cluster.id
		58 |   task_definition                   = aws_ecs_task_definition.chaps_task_definition.arn
		59 |   launch_type                       = "FARGATE"
		60 |   enable_execute_command            = true
		61 |   desired_count                     = 2
		62 |   health_check_grace_period_seconds = 180
		63 | 
		64 |   network_configuration {
		65 |     subnets          = data.aws_subnets.shared-public.ids
		66 |     security_groups  = [aws_security_group.ecs_service.id]
		67 |     assign_public_ip = true
		68 |   }
		69 | 
		70 |   load_balancer {
		71 |     target_group_arn = aws_lb_target_group.chaps_target_group.arn
		72 |     container_name   = local.application_name
		73 |     container_port   = 80
		74 |   }
		75 | 
		76 |   deployment_controller {
		77 |     type = "ECS"
		78 |   }
		79 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:108-131

		108 | resource "aws_iam_role_policy" "app_execution" {
		109 |   name = "execution-${var.networking[0].application}"
		110 |   role = aws_iam_role.app_execution.id
		111 | 
		112 |   policy = <<-EOF
		113 |   {
		114 |     "Version": "2012-10-17",
		115 |     "Statement": [
		116 |       {
		117 |            "Action": [
		118 |               "ecr:*",
		119 |               "logs:CreateLogGroup",
		120 |               "logs:CreateLogStream",
		121 |               "logs:PutLogEvents",
		122 |               "logs:DescribeLogStreams",
		123 |               "secretsmanager:GetSecretValue"
		124 |            ],
		125 |            "Resource": "*",
		126 |            "Effect": "Allow"
		127 |       }
		128 |     ]
		129 |   }
		130 |   EOF
		131 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:108-131

		108 | resource "aws_iam_role_policy" "app_execution" {
		109 |   name = "execution-${var.networking[0].application}"
		110 |   role = aws_iam_role.app_execution.id
		111 | 
		112 |   policy = <<-EOF
		113 |   {
		114 |     "Version": "2012-10-17",
		115 |     "Statement": [
		116 |       {
		117 |            "Action": [
		118 |               "ecr:*",
		119 |               "logs:CreateLogGroup",
		120 |               "logs:CreateLogStream",
		121 |               "logs:PutLogEvents",
		122 |               "logs:DescribeLogStreams",
		123 |               "secretsmanager:GetSecretValue"
		124 |            ],
		125 |            "Resource": "*",
		126 |            "Effect": "Allow"
		127 |       }
		128 |     ]
		129 |   }
		130 |   EOF
		131 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:108-131

		108 | resource "aws_iam_role_policy" "app_execution" {
		109 |   name = "execution-${var.networking[0].application}"
		110 |   role = aws_iam_role.app_execution.id
		111 | 
		112 |   policy = <<-EOF
		113 |   {
		114 |     "Version": "2012-10-17",
		115 |     "Statement": [
		116 |       {
		117 |            "Action": [
		118 |               "ecr:*",
		119 |               "logs:CreateLogGroup",
		120 |               "logs:CreateLogStream",
		121 |               "logs:PutLogEvents",
		122 |               "logs:DescribeLogStreams",
		123 |               "secretsmanager:GetSecretValue"
		124 |            ],
		125 |            "Resource": "*",
		126 |            "Effect": "Allow"
		127 |       }
		128 |     ]
		129 |   }
		130 |   EOF
		131 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:108-131

		108 | resource "aws_iam_role_policy" "app_execution" {
		109 |   name = "execution-${var.networking[0].application}"
		110 |   role = aws_iam_role.app_execution.id
		111 | 
		112 |   policy = <<-EOF
		113 |   {
		114 |     "Version": "2012-10-17",
		115 |     "Statement": [
		116 |       {
		117 |            "Action": [
		118 |               "ecr:*",
		119 |               "logs:CreateLogGroup",
		120 |               "logs:CreateLogStream",
		121 |               "logs:PutLogEvents",
		122 |               "logs:DescribeLogStreams",
		123 |               "secretsmanager:GetSecretValue"
		124 |            ],
		125 |            "Resource": "*",
		126 |            "Effect": "Allow"
		127 |       }
		128 |     ]
		129 |   }
		130 |   EOF
		131 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:184-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		184 | resource "aws_security_group" "ecs_service" {
		185 |   name_prefix = "ecs-service-sg-"
		186 |   vpc_id      = data.aws_vpc.shared.id
		187 | 
		188 |   ingress {
		189 |     from_port       = 80
		190 |     to_port         = 80
		191 |     protocol        = "tcp"
		192 |     description     = "Allow traffic on port 80 from load balancer"
		193 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		194 |   }
		195 | 
		196 |   egress {
		197 |     from_port   = 0
		198 |     to_port     = 0
		199 |     protocol    = "-1"
		200 |     cidr_blocks = ["0.0.0.0/0"]
		201 |   }
		202 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:1-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "chaps_lb_sc" {
		2  |   name        = "load balancer security group"
		3  |   description = "control access to the load balancer"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  | 
		6  |   ingress {
		7  |     description = "allow access on HTTP"
		8  |     from_port   = 80
		9  |     to_port     = 80
		10 |     protocol    = "tcp"
		11 |     cidr_blocks = ["0.0.0.0/0"]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description = "allow access on HTTPS"
		16 |     from_port   = 443
		17 |     to_port     = 443
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     description = "allow all outbound traffic for port 80"
		24 |     from_port   = 80
		25 |     to_port     = 80
		26 |     protocol    = "tcp"
		27 |     cidr_blocks = ["0.0.0.0/0"]
		28 |   }
		29 | 
		30 |   egress {
		31 |     description = "allow all outbound traffic for port 443"
		32 |     from_port   = 443
		33 |     to_port     = 443
		34 |     protocol    = "tcp"
		35 |     cidr_blocks = ["0.0.0.0/0"]
		36 |   }
		37 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:49-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		49 | resource "aws_lb_target_group" "chaps_target_group" {
		50 |   name                 = "chaps-target-group"
		51 |   port                 = 80
		52 |   protocol             = "HTTP"
		53 |   vpc_id               = data.aws_vpc.shared.id
		54 |   target_type          = "ip"
		55 |   deregistration_delay = 30
		56 | 
		57 |   stickiness {
		58 |     type = "lb_cookie"
		59 |   }
		60 | 
		61 |   health_check {
		62 |     healthy_threshold   = "3"
		63 |     interval            = "30"
		64 |     protocol            = "HTTP"
		65 |     port                = "80"
		66 |     unhealthy_threshold = "5"
		67 |     matcher             = "200-302"
		68 |     timeout             = "10"
		69 |   }
		70 | 
		71 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:73-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		73 | resource "aws_lb_listener" "listener" {
		74 |   load_balancer_arn = aws_lb.chaps_lb.arn
		75 |   port              = 80
		76 |   protocol          = "HTTP"
		77 | 
		78 |   default_action {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		80 |     type             = "forward"
		81 |   }
		82 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:73-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		73 | resource "aws_lb_listener" "listener" {
		74 |   load_balancer_arn = aws_lb.chaps_lb.arn
		75 |   port              = 80
		76 |   protocol          = "HTTP"
		77 | 
		78 |   default_action {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		80 |     type             = "forward"
		81 |   }
		82 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:160-182

		160 | resource "aws_iam_role_policy" "app_task" {
		161 |   name = "task-${var.networking[0].application}"
		162 |   role = aws_iam_role.app_task.id
		163 | 
		164 |   policy = <<-EOF
		165 |   {
		166 |    "Version": "2012-10-17",
		167 |    "Statement": [
		168 |      {
		169 |        "Effect": "Allow",
		170 |         "Action": [
		171 |           "logs:CreateLogStream",
		172 |           "logs:PutLogEvents",
		173 |           "ecr:*",
		174 |           "iam:*",
		175 |           "ec2:*"
		176 |         ],
		177 |        "Resource": "*"
		178 |      }
		179 |    ]
		180 |   }
		181 |   EOF
		182 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

@mmgovuk mmgovuk marked this pull request as ready for review December 7, 2023 11:23
@mmgovuk mmgovuk requested review from a team as code owners December 7, 2023 11:23
@mmgovuk mmgovuk merged commit af70cb6 into main Dec 7, 2023
9 of 10 checks passed
@mmgovuk mmgovuk deleted the CC-2254/EBS-DB-swap branch December 7, 2023 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants