Add ECS logging #4286

vertism · 2023-12-11T10:46:04Z

Also extends acceptable status codes for healthcheck

github-actions · 2023-12-11T10:48:11Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-12-11T10:49:29Z

`TFSEC Scan` Failed

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running TFSEC in terraform/environments/cdpt-chaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:208
────────────────────────────────────────────────────────────────────────────────
  192    resource "aws_security_group" "ecs_service" {
  ...  
  208  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  210    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:11
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   11  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:19
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   19  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #4 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:27
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #5 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:35
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   35  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   37    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #6 CRITICAL Listener for application load balancer does not use HTTPS. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:76
────────────────────────────────────────────────────────────────────────────────
   73    resource "aws_lb_listener" "listener" {
   74      load_balancer_arn = aws_lb.chaps_lb.arn
   75      port              = 80
   76  [   protocol          = "HTTP" ("HTTP")
   77    
   78      default_action {
   79        target_group_arn = aws_lb_target_group.chaps_target_group.id
   80        type             = "forward"
   81      }
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-http-not-used
      Impact Your traffic is not protected
  Resolution Switch to HTTPS to benefit from TLS security features

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/http-not-used/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:125-132
────────────────────────────────────────────────────────────────────────────────
  116    resource "aws_iam_role_policy" "app_execution" {
  ...  
  125  ┌            "Action": [
  126  │               "ecr:*",
  127  │               "logs:CreateLogGroup",
  128  │               "logs:CreateLogStream",
  129  │               "logs:PutLogEvents",
  130  │               "logs:DescribeLogStreams",
  131  └               "secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #8 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:133
────────────────────────────────────────────────────────────────────────────────
  116    resource "aws_iam_role_policy" "app_execution" {
  ...  
  133  [            "Resource": "*",
  ...  
  139    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #9-11 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:178-184
────────────────────────────────────────────────────────────────────────────────
  168    resource "aws_iam_role_policy" "app_task" {
  ...  
  178  ┌         "Action": [
  179  │           "logs:CreateLogStream",
  180  │           "logs:PutLogEvents",
  181  │           "ecr:*",
  182  │           "iam:*",
  183  │           "ec2:*"
  184  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:168-190 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:185
────────────────────────────────────────────────────────────────────────────────
  168    resource "aws_iam_role_policy" "app_task" {
  ...  
  185  [        "Resource": "*"
  ...  
  190    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:39-47
────────────────────────────────────────────────────────────────────────────────
   39    resource "aws_lb" "chaps_lb" {
   40      name                       = "chaps-load-balancer"
   41      load_balancer_type         = "application"
   42      security_groups            = [aws_security_group.chaps_lb_sc.id]
   43      subnets                    = data.aws_subnets.shared-public.ids
   44      enable_deletion_protection = false
   45      internal                   = false
   46      depends_on                 = [aws_security_group.chaps_lb_sc]
   47    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #14 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:45
────────────────────────────────────────────────────────────────────────────────
   39    resource "aws_lb" "chaps_lb" {
   40      name                       = "chaps-load-balancer"
   41      load_balancer_type         = "application"
   42      security_groups            = [aws_security_group.chaps_lb_sc.id]
   43      subnets                    = data.aws_subnets.shared-public.ids
   44      enable_deletion_protection = false
   45  [   internal                   = false (false)
   46      depends_on                 = [aws_security_group.chaps_lb_sc]
   47    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #15 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:14-17
────────────────────────────────────────────────────────────────────────────────
   14    resource "aws_cloudwatch_log_group" "deployment_logs" {
   15      name              = "/aws/events/deploymentLogs"
   16      retention_in_days = "7"
   17    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #16 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:192-210
────────────────────────────────────────────────────────────────────────────────
  192  ┌ resource "aws_security_group" "ecs_service" {
  193  │   name_prefix = "ecs-service-sg-"
  194  │   vpc_id      = data.aws_vpc.shared.id
  195  │ 
  196  │   ingress {
  197  │     from_port       = 80
  198  │     to_port         = 80
  199  │     protocol        = "tcp"
  200  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #17 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204-209
────────────────────────────────────────────────────────────────────────────────
  192    resource "aws_security_group" "ecs_service" {
  ...  
  204  ┌   egress {
  205  │     from_port   = 0
  206  │     to_port     = 0
  207  │     protocol    = "-1"
  208  │     cidr_blocks = ["0.0.0.0/0"]
  209  └   }
  210    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             455.501µs
  parsing              1.465539032s
  adaptation           1.067922ms
  checks               4.078385ms
  total                1.47114084s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     161
  files read           23

  results
  ──────────────────────────────────────────
  passed               35
  ignored              28
  critical             6
  high                 8
  medium               0
  low                  3

  35 passed, 28 ignored, 17 potential problem(s) detected.

tfsec_exitcode=1

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
2023-12-11 10:49:26,965 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 42, Failed checks: 23, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name          = "bastion"
		15 |   bucket_versioning    = true
		16 |   bucket_force_destroy = true
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   extra_user_data_content = "yum install -y openldap-clients"
		34 | 
		35 |   # Tags
		36 |   tags_common = local.tags
		37 |   tags_prefix = terraform.workspace
		38 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		15 |   name              = "/aws/events/deploymentLogs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.ecs_service
	File: /ecs.tf:59-87

		59 | resource "aws_ecs_service" "ecs_service" {
		60 |   depends_on = [
		61 |     aws_lb_listener.listener
		62 |   ]
		63 | 
		64 |   name                              = var.networking[0].application
		65 |   cluster                           = aws_ecs_cluster.ecs_cluster.id
		66 |   task_definition                   = aws_ecs_task_definition.chaps_task_definition.arn
		67 |   launch_type                       = "FARGATE"
		68 |   enable_execute_command            = true
		69 |   desired_count                     = 2
		70 |   health_check_grace_period_seconds = 180
		71 | 
		72 |   network_configuration {
		73 |     subnets          = data.aws_subnets.shared-public.ids
		74 |     security_groups  = [aws_security_group.ecs_service.id]
		75 |     assign_public_ip = true
		76 |   }
		77 | 
		78 |   load_balancer {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.arn
		80 |     container_name   = local.application_name
		81 |     container_port   = 80
		82 |   }
		83 | 
		84 |   deployment_controller {
		85 |     type = "ECS"
		86 |   }
		87 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:116-139

		116 | resource "aws_iam_role_policy" "app_execution" {
		117 |   name = "execution-${var.networking[0].application}"
		118 |   role = aws_iam_role.app_execution.id
		119 | 
		120 |   policy = <<-EOF
		121 |   {
		122 |     "Version": "2012-10-17",
		123 |     "Statement": [
		124 |       {
		125 |            "Action": [
		126 |               "ecr:*",
		127 |               "logs:CreateLogGroup",
		128 |               "logs:CreateLogStream",
		129 |               "logs:PutLogEvents",
		130 |               "logs:DescribeLogStreams",
		131 |               "secretsmanager:GetSecretValue"
		132 |            ],
		133 |            "Resource": "*",
		134 |            "Effect": "Allow"
		135 |       }
		136 |     ]
		137 |   }
		138 |   EOF
		139 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:116-139

		116 | resource "aws_iam_role_policy" "app_execution" {
		117 |   name = "execution-${var.networking[0].application}"
		118 |   role = aws_iam_role.app_execution.id
		119 | 
		120 |   policy = <<-EOF
		121 |   {
		122 |     "Version": "2012-10-17",
		123 |     "Statement": [
		124 |       {
		125 |            "Action": [
		126 |               "ecr:*",
		127 |               "logs:CreateLogGroup",
		128 |               "logs:CreateLogStream",
		129 |               "logs:PutLogEvents",
		130 |               "logs:DescribeLogStreams",
		131 |               "secretsmanager:GetSecretValue"
		132 |            ],
		133 |            "Resource": "*",
		134 |            "Effect": "Allow"
		135 |       }
		136 |     ]
		137 |   }
		138 |   EOF
		139 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:116-139

		116 | resource "aws_iam_role_policy" "app_execution" {
		117 |   name = "execution-${var.networking[0].application}"
		118 |   role = aws_iam_role.app_execution.id
		119 | 
		120 |   policy = <<-EOF
		121 |   {
		122 |     "Version": "2012-10-17",
		123 |     "Statement": [
		124 |       {
		125 |            "Action": [
		126 |               "ecr:*",
		127 |               "logs:CreateLogGroup",
		128 |               "logs:CreateLogStream",
		129 |               "logs:PutLogEvents",
		130 |               "logs:DescribeLogStreams",
		131 |               "secretsmanager:GetSecretValue"
		132 |            ],
		133 |            "Resource": "*",
		134 |            "Effect": "Allow"
		135 |       }
		136 |     ]
		137 |   }
		138 |   EOF
		139 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:116-139

		116 | resource "aws_iam_role_policy" "app_execution" {
		117 |   name = "execution-${var.networking[0].application}"
		118 |   role = aws_iam_role.app_execution.id
		119 | 
		120 |   policy = <<-EOF
		121 |   {
		122 |     "Version": "2012-10-17",
		123 |     "Statement": [
		124 |       {
		125 |            "Action": [
		126 |               "ecr:*",
		127 |               "logs:CreateLogGroup",
		128 |               "logs:CreateLogStream",
		129 |               "logs:PutLogEvents",
		130 |               "logs:DescribeLogStreams",
		131 |               "secretsmanager:GetSecretValue"
		132 |            ],
		133 |            "Resource": "*",
		134 |            "Effect": "Allow"
		135 |       }
		136 |     ]
		137 |   }
		138 |   EOF
		139 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:168-190

		168 | resource "aws_iam_role_policy" "app_task" {
		169 |   name = "task-${var.networking[0].application}"
		170 |   role = aws_iam_role.app_task.id
		171 | 
		172 |   policy = <<-EOF
		173 |   {
		174 |    "Version": "2012-10-17",
		175 |    "Statement": [
		176 |      {
		177 |        "Effect": "Allow",
		178 |         "Action": [
		179 |           "logs:CreateLogStream",
		180 |           "logs:PutLogEvents",
		181 |           "ecr:*",
		182 |           "iam:*",
		183 |           "ec2:*"
		184 |         ],
		185 |        "Resource": "*"
		186 |      }
		187 |    ]
		188 |   }
		189 |   EOF
		190 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:168-190

		168 | resource "aws_iam_role_policy" "app_task" {
		169 |   name = "task-${var.networking[0].application}"
		170 |   role = aws_iam_role.app_task.id
		171 | 
		172 |   policy = <<-EOF
		173 |   {
		174 |    "Version": "2012-10-17",
		175 |    "Statement": [
		176 |      {
		177 |        "Effect": "Allow",
		178 |         "Action": [
		179 |           "logs:CreateLogStream",
		180 |           "logs:PutLogEvents",
		181 |           "ecr:*",
		182 |           "iam:*",
		183 |           "ec2:*"
		184 |         ],
		185 |        "Resource": "*"
		186 |      }
		187 |    ]
		188 |   }
		189 |   EOF
		190 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:168-190

		168 | resource "aws_iam_role_policy" "app_task" {
		169 |   name = "task-${var.networking[0].application}"
		170 |   role = aws_iam_role.app_task.id
		171 | 
		172 |   policy = <<-EOF
		173 |   {
		174 |    "Version": "2012-10-17",
		175 |    "Statement": [
		176 |      {
		177 |        "Effect": "Allow",
		178 |         "Action": [
		179 |           "logs:CreateLogStream",
		180 |           "logs:PutLogEvents",
		181 |           "ecr:*",
		182 |           "iam:*",
		183 |           "ec2:*"
		184 |         ],
		185 |        "Resource": "*"
		186 |      }
		187 |    ]
		188 |   }
		189 |   EOF
		190 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:168-190

		168 | resource "aws_iam_role_policy" "app_task" {
		169 |   name = "task-${var.networking[0].application}"
		170 |   role = aws_iam_role.app_task.id
		171 | 
		172 |   policy = <<-EOF
		173 |   {
		174 |    "Version": "2012-10-17",
		175 |    "Statement": [
		176 |      {
		177 |        "Effect": "Allow",
		178 |         "Action": [
		179 |           "logs:CreateLogStream",
		180 |           "logs:PutLogEvents",
		181 |           "ecr:*",
		182 |           "iam:*",
		183 |           "ec2:*"
		184 |         ],
		185 |        "Resource": "*"
		186 |      }
		187 |    ]
		188 |   }
		189 |   EOF
		190 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:168-190

		168 | resource "aws_iam_role_policy" "app_task" {
		169 |   name = "task-${var.networking[0].application}"
		170 |   role = aws_iam_role.app_task.id
		171 | 
		172 |   policy = <<-EOF
		173 |   {
		174 |    "Version": "2012-10-17",
		175 |    "Statement": [
		176 |      {
		177 |        "Effect": "Allow",
		178 |         "Action": [
		179 |           "logs:CreateLogStream",
		180 |           "logs:PutLogEvents",
		181 |           "ecr:*",
		182 |           "iam:*",
		183 |           "ec2:*"
		184 |         ],
		185 |        "Resource": "*"
		186 |      }
		187 |    ]
		188 |   }
		189 |   EOF
		190 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:192-210
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		192 | resource "aws_security_group" "ecs_service" {
		193 |   name_prefix = "ecs-service-sg-"
		194 |   vpc_id      = data.aws_vpc.shared.id
		195 | 
		196 |   ingress {
		197 |     from_port       = 80
		198 |     to_port         = 80
		199 |     protocol        = "tcp"
		200 |     description     = "Allow traffic on port 80 from load balancer"
		201 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		202 |   }
		203 | 
		204 |   egress {
		205 |     from_port   = 0
		206 |     to_port     = 0
		207 |     protocol    = "-1"
		208 |     cidr_blocks = ["0.0.0.0/0"]
		209 |   }
		210 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:1-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "chaps_lb_sc" {
		2  |   name        = "load balancer security group"
		3  |   description = "control access to the load balancer"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  | 
		6  |   ingress {
		7  |     description = "allow access on HTTP"
		8  |     from_port   = 80
		9  |     to_port     = 80
		10 |     protocol    = "tcp"
		11 |     cidr_blocks = ["0.0.0.0/0"]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description = "allow access on HTTPS"
		16 |     from_port   = 443
		17 |     to_port     = 443
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     description = "allow all outbound traffic for port 80"
		24 |     from_port   = 80
		25 |     to_port     = 80
		26 |     protocol    = "tcp"
		27 |     cidr_blocks = ["0.0.0.0/0"]
		28 |   }
		29 | 
		30 |   egress {
		31 |     description = "allow all outbound traffic for port 443"
		32 |     from_port   = 443
		33 |     to_port     = 443
		34 |     protocol    = "tcp"
		35 |     cidr_blocks = ["0.0.0.0/0"]
		36 |   }
		37 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:49-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		49 | resource "aws_lb_target_group" "chaps_target_group" {
		50 |   name                 = "chaps-target-group"
		51 |   port                 = 80
		52 |   protocol             = "HTTP"
		53 |   vpc_id               = data.aws_vpc.shared.id
		54 |   target_type          = "ip"
		55 |   deregistration_delay = 30
		56 | 
		57 |   stickiness {
		58 |     type = "lb_cookie"
		59 |   }
		60 | 
		61 |   health_check {
		62 |     healthy_threshold   = "3"
		63 |     interval            = "30"
		64 |     protocol            = "HTTP"
		65 |     port                = "80"
		66 |     unhealthy_threshold = "5"
		67 |     matcher             = "200-302"
		68 |     timeout             = "10"
		69 |   }
		70 | 
		71 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:73-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		73 | resource "aws_lb_listener" "listener" {
		74 |   load_balancer_arn = aws_lb.chaps_lb.arn
		75 |   port              = 80
		76 |   protocol          = "HTTP"
		77 | 
		78 |   default_action {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		80 |     type             = "forward"
		81 |   }
		82 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:73-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		73 | resource "aws_lb_listener" "listener" {
		74 |   load_balancer_arn = aws_lb.chaps_lb.arn
		75 |   port              = 80
		76 |   protocol          = "HTTP"
		77 | 
		78 |   default_action {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		80 |     type             = "forward"
		81 |   }
		82 | }

Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:39-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		39 | resource "aws_lb" "chaps_lb" {
		40 |   name                       = "chaps-load-balancer"
		41 |   load_balancer_type         = "application"
		42 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		43 |   subnets                    = data.aws_subnets.shared-public.ids
		44 |   enable_deletion_protection = false
		45 |   internal                   = false
		46 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		47 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:168-190

		168 | resource "aws_iam_role_policy" "app_task" {
		169 |   name = "task-${var.networking[0].application}"
		170 |   role = aws_iam_role.app_task.id
		171 | 
		172 |   policy = <<-EOF
		173 |   {
		174 |    "Version": "2012-10-17",
		175 |    "Statement": [
		176 |      {
		177 |        "Effect": "Allow",
		178 |         "Action": [
		179 |           "logs:CreateLogStream",
		180 |           "logs:PutLogEvents",
		181 |           "ecr:*",
		182 |           "iam:*",
		183 |           "ec2:*"
		184 |         ],
		185 |        "Resource": "*"
		186 |      }
		187 |    ]
		188 |   }
		189 |   EOF
		190 | }


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-12-11T11:27:59Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-12-11T11:56:55Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-12-11T11:59:57Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-12-11T13:45:31Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/planetfm

*****************************

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.404624ms
  parsing              173.236349ms
  adaptation           109.454µs
  checks               3.938847ms
  total                178.689274ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     271
  files read           71

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 94, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-12-11T13:49:22Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/planetfm

*****************************

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.474789ms
  parsing              183.039775ms
  adaptation           108.512µs
  checks               3.324039ms
  total                187.947115ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     271
  files read           71

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 94, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-12-11T14:07:47Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/planetfm

*****************************

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.465449ms
  parsing              174.621418ms
  adaptation           105.758µs
  checks               3.670006ms
  total                179.862631ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     271
  files read           71

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 94, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-12-11T14:18:31Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/planetfm

*****************************

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.405888ms
  parsing              174.511818ms
  adaptation           113.061µs
  checks               4.271914ms
  total                180.302681ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     271
  files read           71

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 94, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-12-11T14:30:04Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/planetfm

*****************************

Running TFSEC in terraform/environments/planetfm
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.5653ms
  parsing              193.140925ms
  adaptation           126.677µs
  checks               3.309341ms
  total                198.142243ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     271
  files read           71

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/planetfm

*****************************

Running Checkov in terraform/environments/planetfm
terraform scan results:

Passed checks: 94, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/planetfm

*****************************

Running tflint in terraform/environments/planetfm
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

github-actions · 2023-12-11T14:53:38Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

github-actions · 2023-12-11T14:55:16Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

add logging

bd7ad06

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 11, 2023

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 10:47 — with GitHub Actions Failure

Merge branch 'main' into chaps-add-logging

3d21e83

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 10:48 — with GitHub Actions Failure

Merge branch 'main' into chaps-add-logging

41ac576

vertism temporarily deployed to cdpt-chaps-development December 11, 2023 11:27 — with GitHub Actions Inactive

Create log group

dace9c1

restore

3dc2325

vertism temporarily deployed to cdpt-chaps-development December 11, 2023 11:59 — with GitHub Actions Inactive

allow any status for health check

2b79c5c

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 13:44 — with GitHub Actions Failure

Change matcher and type

7514a00

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 13:48 — with GitHub Actions Failure

rename target group

824100d

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 14:07 — with GitHub Actions Failure

change name back

3770936

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 14:17 — with GitHub Actions Failure

Change back to ip

790ab9f

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 14:29 — with GitHub Actions Failure

vertism added 3 commits December 11, 2023 14:51

change container name

994d0fa

ignore some changes on deploy

af4cf7c

revert

c478cf3

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 14:53 — with GitHub Actions Failure

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 14:54 — with GitHub Actions Failure

vertism marked this pull request as ready for review December 11, 2023 15:49

vertism requested review from a team as code owners December 11, 2023 15:49

vertism had a problem deploying to cdpt-chaps-development December 11, 2023 15:50 — with GitHub Actions Failure

roncitrus approved these changes Dec 11, 2023

View reviewed changes

vertism merged commit 1623f9c into main Dec 11, 2023
20 of 22 checks passed

vertism deleted the chaps-add-logging branch December 11, 2023 16:32

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add ECS logging #4286

Add ECS logging #4286

vertism commented Dec 11, 2023 •

edited

Loading

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

github-actions bot commented Dec 11, 2023

Add ECS logging #4286

Add ECS logging #4286

Conversation

vertism commented Dec 11, 2023 • edited Loading

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Failed

Checkov Scan Failed

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

github-actions bot commented Dec 11, 2023

TFSEC Scan Success

Checkov Scan Success

CTFLint Scan Success

vertism commented Dec 11, 2023 •

edited

Loading

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Failed

`Checkov Scan` Failed

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success

`TFSEC Scan` Success

`Checkov Scan` Success

`CTFLint Scan` Success