Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chaps certificate #4292

Merged
merged 3 commits into from
Dec 12, 2023
Merged

Chaps certificate #4292

merged 3 commits into from
Dec 12, 2023

Conversation

vertism
Copy link
Contributor

@vertism vertism commented Dec 11, 2023

No description provided.

@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 11, 2023
@vertism vertism had a problem deploying to cdpt-chaps-development December 11, 2023 17:04 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running TFSEC in terraform/environments/cdpt-chaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204
────────────────────────────────────────────────────────────────────────────────
  188    resource "aws_security_group" "ecs_service" {
  ...  
  204  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  206    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:11
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   11  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:19
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   19  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #4 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:27
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #5 CRITICAL Listener for application load balancer does not use HTTPS. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:68
────────────────────────────────────────────────────────────────────────────────
   65    resource "aws_lb_listener" "listener" {
   66      load_balancer_arn = aws_lb.chaps_lb.arn
   67      port              = 80
   68  [   protocol          = "HTTP" ("HTTP")
   69    
   70      default_action {
   71        target_group_arn = aws_lb_target_group.chaps_target_group.id
   72        type             = "forward"
   73      }
   74    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-http-not-used
      Impact Your traffic is not protected
  Resolution Switch to HTTPS to benefit from TLS security features

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/http-not-used/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:121-128
────────────────────────────────────────────────────────────────────────────────
  112    resource "aws_iam_role_policy" "app_execution" {
  ...  
  121"Action": [
  122"ecr:*",
  123"logs:CreateLogGroup",
  124"logs:CreateLogStream",
  125"logs:PutLogEvents",
  126"logs:DescribeLogStreams",
  127"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:129
────────────────────────────────────────────────────────────────────────────────
  112    resource "aws_iam_role_policy" "app_execution" {
  ...  
  129  [            "Resource": "*",
  ...  
  135    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #8-10 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:174-180
────────────────────────────────────────────────────────────────────────────────
  164    resource "aws_iam_role_policy" "app_task" {
  ...  
  174"Action": [
  175"logs:CreateLogStream",
  176"logs:PutLogEvents",
  177"ecr:*",
  178"iam:*",
  179"ec2:*"
  180  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:164-186 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #11 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:181
────────────────────────────────────────────────────────────────────────────────
  164    resource "aws_iam_role_policy" "app_task" {
  ...  
  181  [        "Resource": "*"
  ...  
  186    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:31-39
────────────────────────────────────────────────────────────────────────────────
   31    resource "aws_lb" "chaps_lb" {
   32      name                       = "chaps-load-balancer"
   33      load_balancer_type         = "application"
   34      security_groups            = [aws_security_group.chaps_lb_sc.id]
   35      subnets                    = data.aws_subnets.shared-public.ids
   36      enable_deletion_protection = false
   37      internal                   = false
   38      depends_on                 = [aws_security_group.chaps_lb_sc]
   39    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:37
────────────────────────────────────────────────────────────────────────────────
   31    resource "aws_lb" "chaps_lb" {
   32      name                       = "chaps-load-balancer"
   33      load_balancer_type         = "application"
   34      security_groups            = [aws_security_group.chaps_lb_sc.id]
   35      subnets                    = data.aws_subnets.shared-public.ids
   36      enable_deletion_protection = false
   37  [   internal                   = false (false)
   38      depends_on                 = [aws_security_group.chaps_lb_sc]
   39    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #14 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:14-17
────────────────────────────────────────────────────────────────────────────────
   14    resource "aws_cloudwatch_log_group" "deployment_logs" {
   15      name              = "/aws/events/deploymentLogs"
   16      retention_in_days = "7"
   17    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #15 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:188-206
────────────────────────────────────────────────────────────────────────────────
  188  ┌ resource "aws_security_group" "ecs_service" {
  189  │   name_prefix = "ecs-service-sg-"
  190  │   vpc_id      = data.aws_vpc.shared.id
  191192  │   ingress {
  193  │     from_port       = 80
  194  │     to_port         = 80
  195  │     protocol        = "tcp"
  196  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #16 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200-205
────────────────────────────────────────────────────────────────────────────────
  188    resource "aws_security_group" "ecs_service" {
  ...  
  200  ┌   egress {
  201  │     from_port   = 0
  202  │     to_port     = 0
  203  │     protocol    = "-1"
  204  │     cidr_blocks = ["0.0.0.0/0"]
  205  └   }
  206    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #17 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:251-254
────────────────────────────────────────────────────────────────────────────────
  251    resource "aws_cloudwatch_log_group" "cloudwatch_group" {
  252      name              = "${local.application_name}-ecs"
  253      retention_in_days = 30
  254    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             465.82µs
  parsing              3.13302098s
  adaptation           1.287861ms
  checks               10.693708ms
  total                3.145468369s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     164
  files read           23

  results
  ──────────────────────────────────────────
  passed               39
  ignored              28
  critical             5
  high                 8
  medium               0
  low                  4

  39 passed, 28 ignored, 17 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
2023-12-11 17:05:19,077 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 45, Failed checks: 27, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name          = "bastion"
		15 |   bucket_versioning    = true
		16 |   bucket_force_destroy = true
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   extra_user_data_content = "yum install -y openldap-clients"
		34 | 
		35 |   # Tags
		36 |   tags_common = local.tags
		37 |   tags_prefix = terraform.workspace
		38 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		15 |   name              = "/aws/events/deploymentLogs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:19-57

		19 | resource "aws_ecs_task_definition" "chaps_task_definition" {
		20 |   family                   = "chapsFamily"
		21 |   requires_compatibilities = ["FARGATE"]
		22 |   network_mode             = "awsvpc"
		23 |   execution_role_arn       = aws_iam_role.app_execution.arn
		24 |   task_role_arn            = aws_iam_role.app_task.arn
		25 |   cpu                      = 1024
		26 |   memory                   = 2048
		27 |   container_definitions = jsonencode([
		28 |     {
		29 |       name      = "${local.application_name}-container"
		30 |       image     = "${local.ecr_url}:${local.application_data.accounts[local.environment].docker_image_tag}"
		31 |       cpu       = 1024
		32 |       memory    = 2048
		33 |       essential = true
		34 |       portMappings = [
		35 |         {
		36 |           containerPort = 80
		37 |           protocol      = "tcp"
		38 |           hostPort      = 80
		39 |         }
		40 |       ]
		41 |       logConfiguration = {
		42 |         logDriver = "awslogs",
		43 |         options = {
		44 |           awslogs-group = "${local.application_name}-ecs",
		45 |           awslogs-region = "eu-west-2",
		46 |           awslogs-stream-prefix = local.application_name
		47 |         }
		48 |       }
		49 |       environment = [
		50 |       ]
		51 |     }
		52 |   ])
		53 |   runtime_platform {
		54 |     operating_system_family = "WINDOWS_SERVER_2019_CORE"
		55 |     cpu_architecture        = "X86_64"
		56 |   }
		57 | }

Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.ecs_service
	File: /ecs.tf:59-83

		59 | resource "aws_ecs_service" "ecs_service" {
		60 |   depends_on = [
		61 |     aws_lb_listener.listener
		62 |   ]
		63 | 
		64 |   name                              = var.networking[0].application
		65 |   cluster                           = aws_ecs_cluster.ecs_cluster.id
		66 |   task_definition                   = aws_ecs_task_definition.chaps_task_definition.arn
		67 |   launch_type                       = "FARGATE"
		68 |   enable_execute_command            = true
		69 |   desired_count                     = 2
		70 |   health_check_grace_period_seconds = 180
		71 | 
		72 |   network_configuration {
		73 |     subnets          = data.aws_subnets.shared-public.ids
		74 |     security_groups  = [aws_security_group.ecs_service.id]
		75 |     assign_public_ip = true
		76 |   }
		77 | 
		78 |   load_balancer {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.arn
		80 |     container_name   = "${local.application_name}-container"
		81 |     container_port   = 80
		82 |   }
		83 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:188-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		188 | resource "aws_security_group" "ecs_service" {
		189 |   name_prefix = "ecs-service-sg-"
		190 |   vpc_id      = data.aws_vpc.shared.id
		191 | 
		192 |   ingress {
		193 |     from_port       = 80
		194 |     to_port         = 80
		195 |     protocol        = "tcp"
		196 |     description     = "Allow traffic on port 80 from load balancer"
		197 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		198 |   }
		199 | 
		200 |   egress {
		201 |     from_port   = 0
		202 |     to_port     = 0
		203 |     protocol    = "-1"
		204 |     cidr_blocks = ["0.0.0.0/0"]
		205 |   }
		206 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:251-254

		251 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		252 |   name              = "${local.application_name}-ecs"
		253 |   retention_in_days = 30
		254 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:251-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		251 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		252 |   name              = "${local.application_name}-ecs"
		253 |   retention_in_days = 30
		254 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:1-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "chaps_lb_sc" {
		2  |   name        = "load balancer security group"
		3  |   description = "control access to the load balancer"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  | 
		6  |   ingress {
		7  |     description = "allow access on HTTP"
		8  |     from_port   = 80
		9  |     to_port     = 80
		10 |     protocol    = "tcp"
		11 |     cidr_blocks = ["0.0.0.0/0"]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description = "allow access on HTTPS"
		16 |     from_port   = 443
		17 |     to_port     = 443
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     description = "allow all outbound traffic for port 80"
		24 |     from_port   = 80
		25 |     to_port     = 80
		26 |     protocol    = "tcp"
		27 |     cidr_blocks = ["0.0.0.0/0"]
		28 |   }
		29 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:41-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		41 | resource "aws_lb_target_group" "chaps_target_group" {
		42 |   name                 = "chaps-target-group"
		43 |   port                 = 80
		44 |   protocol             = "HTTP"
		45 |   vpc_id               = data.aws_vpc.shared.id
		46 |   target_type          = "ip"
		47 |   deregistration_delay = 30
		48 | 
		49 |   stickiness {
		50 |     type = "lb_cookie"
		51 |   }
		52 | 
		53 |   health_check {
		54 |     healthy_threshold   = "3"
		55 |     interval            = "30"
		56 |     protocol            = "HTTP"
		57 |     port                = "80"
		58 |     unhealthy_threshold = "5"
		59 |     matcher             = "200-499"
		60 |     timeout             = "10"
		61 |   }
		62 | 
		63 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:65-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		65 | resource "aws_lb_listener" "listener" {
		66 |   load_balancer_arn = aws_lb.chaps_lb.arn
		67 |   port              = 80
		68 |   protocol          = "HTTP"
		69 | 
		70 |   default_action {
		71 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		72 |     type             = "forward"
		73 |   }
		74 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:65-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		65 | resource "aws_lb_listener" "listener" {
		66 |   load_balancer_arn = aws_lb.chaps_lb.arn
		67 |   port              = 80
		68 |   protocol          = "HTTP"
		69 | 
		70 |   default_action {
		71 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		72 |     type             = "forward"
		73 |   }
		74 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.https_listener
	File: /loadbalancer.tf:76-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		76 | resource "aws_lb_listener" "https_listener" {
		77 |   depends_on = [aws_acm_certificate_validation.external]
		78 | 
		79 |   load_balancer_arn = aws_lb.chaps_lb.arn
		80 |   port              = "443"
		81 |   protocol          = "HTTPS"
		82 |   certificate_arn   = aws_acm_certificate.external.arn
		83 | 
		84 |   default_action {
		85 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		86 |     type             = "forward"
		87 |   }
		88 | }

Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running TFSEC in terraform/environments/cdpt-chaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204
────────────────────────────────────────────────────────────────────────────────
  188    resource "aws_security_group" "ecs_service" {
  ...  
  204  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  206    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:11
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   11  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:19
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   19  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #4 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:27
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #5 CRITICAL Listener for application load balancer does not use HTTPS. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:68
────────────────────────────────────────────────────────────────────────────────
   65    resource "aws_lb_listener" "listener" {
   66      load_balancer_arn = aws_lb.chaps_lb.arn
   67      port              = 80
   68  [   protocol          = "HTTP" ("HTTP")
   69    
   70      default_action {
   71        target_group_arn = aws_lb_target_group.chaps_target_group.id
   72        type             = "forward"
   73      }
   74    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-http-not-used
      Impact Your traffic is not protected
  Resolution Switch to HTTPS to benefit from TLS security features

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/http-not-used/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:121-128
────────────────────────────────────────────────────────────────────────────────
  112    resource "aws_iam_role_policy" "app_execution" {
  ...  
  121"Action": [
  122"ecr:*",
  123"logs:CreateLogGroup",
  124"logs:CreateLogStream",
  125"logs:PutLogEvents",
  126"logs:DescribeLogStreams",
  127"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:129
────────────────────────────────────────────────────────────────────────────────
  112    resource "aws_iam_role_policy" "app_execution" {
  ...  
  129  [            "Resource": "*",
  ...  
  135    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #8-10 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:174-180
────────────────────────────────────────────────────────────────────────────────
  164    resource "aws_iam_role_policy" "app_task" {
  ...  
  174"Action": [
  175"logs:CreateLogStream",
  176"logs:PutLogEvents",
  177"ecr:*",
  178"iam:*",
  179"ec2:*"
  180  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:164-186 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #11 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:181
────────────────────────────────────────────────────────────────────────────────
  164    resource "aws_iam_role_policy" "app_task" {
  ...  
  181  [        "Resource": "*"
  ...  
  186    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:31-39
────────────────────────────────────────────────────────────────────────────────
   31    resource "aws_lb" "chaps_lb" {
   32      name                       = "chaps-load-balancer"
   33      load_balancer_type         = "application"
   34      security_groups            = [aws_security_group.chaps_lb_sc.id]
   35      subnets                    = data.aws_subnets.shared-public.ids
   36      enable_deletion_protection = false
   37      internal                   = false
   38      depends_on                 = [aws_security_group.chaps_lb_sc]
   39    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:37
────────────────────────────────────────────────────────────────────────────────
   31    resource "aws_lb" "chaps_lb" {
   32      name                       = "chaps-load-balancer"
   33      load_balancer_type         = "application"
   34      security_groups            = [aws_security_group.chaps_lb_sc.id]
   35      subnets                    = data.aws_subnets.shared-public.ids
   36      enable_deletion_protection = false
   37  [   internal                   = false (false)
   38      depends_on                 = [aws_security_group.chaps_lb_sc]
   39    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #14 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:14-17
────────────────────────────────────────────────────────────────────────────────
   14    resource "aws_cloudwatch_log_group" "deployment_logs" {
   15      name              = "/aws/events/deploymentLogs"
   16      retention_in_days = "7"
   17    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #15 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:188-206
────────────────────────────────────────────────────────────────────────────────
  188  ┌ resource "aws_security_group" "ecs_service" {
  189  │   name_prefix = "ecs-service-sg-"
  190  │   vpc_id      = data.aws_vpc.shared.id
  191192  │   ingress {
  193  │     from_port       = 80
  194  │     to_port         = 80
  195  │     protocol        = "tcp"
  196  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #16 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200-205
────────────────────────────────────────────────────────────────────────────────
  188    resource "aws_security_group" "ecs_service" {
  ...  
  200  ┌   egress {
  201  │     from_port   = 0
  202  │     to_port     = 0
  203  │     protocol    = "-1"
  204  │     cidr_blocks = ["0.0.0.0/0"]
  205  └   }
  206    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #17 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:251-254
────────────────────────────────────────────────────────────────────────────────
  251    resource "aws_cloudwatch_log_group" "cloudwatch_group" {
  252      name              = "${local.application_name}-ecs"
  253      retention_in_days = 30
  254    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             549.088µs
  parsing              1.834564474s
  adaptation           1.075806ms
  checks               4.20541ms
  total                1.840394778s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     164
  files read           23

  results
  ──────────────────────────────────────────
  passed               39
  ignored              28
  critical             5
  high                 8
  medium               0
  low                  4

  39 passed, 28 ignored, 17 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
2023-12-11 17:13:27,797 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 45, Failed checks: 27, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name          = "bastion"
		15 |   bucket_versioning    = true
		16 |   bucket_force_destroy = true
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   extra_user_data_content = "yum install -y openldap-clients"
		34 | 
		35 |   # Tags
		36 |   tags_common = local.tags
		37 |   tags_prefix = terraform.workspace
		38 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		15 |   name              = "/aws/events/deploymentLogs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:19-57

		19 | resource "aws_ecs_task_definition" "chaps_task_definition" {
		20 |   family                   = "chapsFamily"
		21 |   requires_compatibilities = ["FARGATE"]
		22 |   network_mode             = "awsvpc"
		23 |   execution_role_arn       = aws_iam_role.app_execution.arn
		24 |   task_role_arn            = aws_iam_role.app_task.arn
		25 |   cpu                      = 1024
		26 |   memory                   = 2048
		27 |   container_definitions = jsonencode([
		28 |     {
		29 |       name      = "${local.application_name}-container"
		30 |       image     = "${local.ecr_url}:${local.application_data.accounts[local.environment].docker_image_tag}"
		31 |       cpu       = 1024
		32 |       memory    = 2048
		33 |       essential = true
		34 |       portMappings = [
		35 |         {
		36 |           containerPort = 80
		37 |           protocol      = "tcp"
		38 |           hostPort      = 80
		39 |         }
		40 |       ]
		41 |       logConfiguration = {
		42 |         logDriver = "awslogs",
		43 |         options = {
		44 |           awslogs-group = "${local.application_name}-ecs",
		45 |           awslogs-region = "eu-west-2",
		46 |           awslogs-stream-prefix = local.application_name
		47 |         }
		48 |       }
		49 |       environment = [
		50 |       ]
		51 |     }
		52 |   ])
		53 |   runtime_platform {
		54 |     operating_system_family = "WINDOWS_SERVER_2019_CORE"
		55 |     cpu_architecture        = "X86_64"
		56 |   }
		57 | }

Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.ecs_service
	File: /ecs.tf:59-83

		59 | resource "aws_ecs_service" "ecs_service" {
		60 |   depends_on = [
		61 |     aws_lb_listener.listener
		62 |   ]
		63 | 
		64 |   name                              = var.networking[0].application
		65 |   cluster                           = aws_ecs_cluster.ecs_cluster.id
		66 |   task_definition                   = aws_ecs_task_definition.chaps_task_definition.arn
		67 |   launch_type                       = "FARGATE"
		68 |   enable_execute_command            = true
		69 |   desired_count                     = 2
		70 |   health_check_grace_period_seconds = 180
		71 | 
		72 |   network_configuration {
		73 |     subnets          = data.aws_subnets.shared-public.ids
		74 |     security_groups  = [aws_security_group.ecs_service.id]
		75 |     assign_public_ip = true
		76 |   }
		77 | 
		78 |   load_balancer {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.arn
		80 |     container_name   = "${local.application_name}-container"
		81 |     container_port   = 80
		82 |   }
		83 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:188-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		188 | resource "aws_security_group" "ecs_service" {
		189 |   name_prefix = "ecs-service-sg-"
		190 |   vpc_id      = data.aws_vpc.shared.id
		191 | 
		192 |   ingress {
		193 |     from_port       = 80
		194 |     to_port         = 80
		195 |     protocol        = "tcp"
		196 |     description     = "Allow traffic on port 80 from load balancer"
		197 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		198 |   }
		199 | 
		200 |   egress {
		201 |     from_port   = 0
		202 |     to_port     = 0
		203 |     protocol    = "-1"
		204 |     cidr_blocks = ["0.0.0.0/0"]
		205 |   }
		206 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:251-254

		251 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		252 |   name              = "${local.application_name}-ecs"
		253 |   retention_in_days = 30
		254 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:251-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		251 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		252 |   name              = "${local.application_name}-ecs"
		253 |   retention_in_days = 30
		254 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:1-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "chaps_lb_sc" {
		2  |   name        = "load balancer security group"
		3  |   description = "control access to the load balancer"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  | 
		6  |   ingress {
		7  |     description = "allow access on HTTP"
		8  |     from_port   = 80
		9  |     to_port     = 80
		10 |     protocol    = "tcp"
		11 |     cidr_blocks = ["0.0.0.0/0"]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description = "allow access on HTTPS"
		16 |     from_port   = 443
		17 |     to_port     = 443
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     description = "allow all outbound traffic for port 80"
		24 |     from_port   = 80
		25 |     to_port     = 80
		26 |     protocol    = "tcp"
		27 |     cidr_blocks = ["0.0.0.0/0"]
		28 |   }
		29 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:41-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		41 | resource "aws_lb_target_group" "chaps_target_group" {
		42 |   name                 = "chaps-target-group"
		43 |   port                 = 80
		44 |   protocol             = "HTTP"
		45 |   vpc_id               = data.aws_vpc.shared.id
		46 |   target_type          = "ip"
		47 |   deregistration_delay = 30
		48 | 
		49 |   stickiness {
		50 |     type = "lb_cookie"
		51 |   }
		52 | 
		53 |   health_check {
		54 |     healthy_threshold   = "3"
		55 |     interval            = "30"
		56 |     protocol            = "HTTP"
		57 |     port                = "80"
		58 |     unhealthy_threshold = "5"
		59 |     matcher             = "200-499"
		60 |     timeout             = "10"
		61 |   }
		62 | 
		63 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:65-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		65 | resource "aws_lb_listener" "listener" {
		66 |   load_balancer_arn = aws_lb.chaps_lb.arn
		67 |   port              = 80
		68 |   protocol          = "HTTP"
		69 | 
		70 |   default_action {
		71 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		72 |     type             = "forward"
		73 |   }
		74 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:65-74
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		65 | resource "aws_lb_listener" "listener" {
		66 |   load_balancer_arn = aws_lb.chaps_lb.arn
		67 |   port              = 80
		68 |   protocol          = "HTTP"
		69 | 
		70 |   default_action {
		71 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		72 |     type             = "forward"
		73 |   }
		74 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.https_listener
	File: /loadbalancer.tf:76-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		76 | resource "aws_lb_listener" "https_listener" {
		77 |   depends_on = [aws_acm_certificate_validation.external]
		78 | 
		79 |   load_balancer_arn = aws_lb.chaps_lb.arn
		80 |   port              = "443"
		81 |   protocol          = "HTTPS"
		82 |   certificate_arn   = aws_acm_certificate.external.arn
		83 | 
		84 |   default_action {
		85 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		86 |     type             = "forward"
		87 |   }
		88 | }

Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

@vertism vertism had a problem deploying to cdpt-chaps-development December 11, 2023 17:19 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running TFSEC in terraform/environments/cdpt-chaps
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:204
────────────────────────────────────────────────────────────────────────────────
  188    resource "aws_security_group" "ecs_service" {
  ...  
  204  [     cidr_blocks = ["0.0.0.0/0"]
  ...  
  206    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #2 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:11
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   11  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #3 CRITICAL Security group rule allows ingress from public internet. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:19
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   19  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-sgr
      Impact Your port exposed to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-ingress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks
────────────────────────────────────────────────────────────────────────────────


Result #4 CRITICAL Security group rule allows egress to multiple public internet addresses. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:27
────────────────────────────────────────────────────────────────────────────────
    1    resource "aws_security_group" "chaps_lb_sc" {
    .  
   27  [     cidr_blocks = ["0.0.0.0/0"]
   ..  
   29    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-egress-sgr
      Impact Your port is egressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/no-public-egress-sgr/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
────────────────────────────────────────────────────────────────────────────────


Result #5 CRITICAL Listener for application load balancer does not use HTTPS. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:69
────────────────────────────────────────────────────────────────────────────────
   65    resource "aws_lb_listener" "listener" {
   66      #checkov:skip=CKV_AWS_103
   67      load_balancer_arn = aws_lb.chaps_lb.arn
   68      port              = 80
   69  [   protocol          = "HTTP" ("HTTP")
   70    
   71      default_action {
   72        target_group_arn = aws_lb_target_group.chaps_target_group.id
   73        type             = "forward"
   ..  
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-http-not-used
      Impact Your traffic is not protected
  Resolution Switch to HTTPS to benefit from TLS security features

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/http-not-used/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener
────────────────────────────────────────────────────────────────────────────────


Result #6 HIGH IAM policy document uses wildcarded action 'ecr:*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:121-128
────────────────────────────────────────────────────────────────────────────────
  112    resource "aws_iam_role_policy" "app_execution" {
  ...  
  121"Action": [
  122"ecr:*",
  123"logs:CreateLogGroup",
  124"logs:CreateLogStream",
  125"logs:PutLogEvents",
  126"logs:DescribeLogStreams",
  127"secretsmanager:GetSecretValue"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #7 HIGH IAM policy document uses sensitive action 'ecr:*' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:129
────────────────────────────────────────────────────────────────────────────────
  112    resource "aws_iam_role_policy" "app_execution" {
  ...  
  129  [            "Resource": "*",
  ...  
  135    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Results #8-10 HIGH IAM policy document uses wildcarded action 'logs:CreateLogStream' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:174-180
────────────────────────────────────────────────────────────────────────────────
  164    resource "aws_iam_role_policy" "app_task" {
  ...  
  174"Action": [
  175"logs:CreateLogStream",
  176"logs:PutLogEvents",
  177"ecr:*",
  178"iam:*",
  179"ec2:*"
  180  └         ],
  ...  
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - ecs.tf:164-186 (aws_iam_role_policy.app_task) 3 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #11 HIGH IAM policy document uses sensitive action 'logs:CreateLogStream' on wildcarded resource '*' 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:181
────────────────────────────────────────────────────────────────────────────────
  164    resource "aws_iam_role_policy" "app_task" {
  ...  
  181  [        "Resource": "*"
  ...  
  186    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


Result #12 HIGH Application load balancer is not set to drop invalid headers. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:31-39
────────────────────────────────────────────────────────────────────────────────
   31    resource "aws_lb" "chaps_lb" {
   32      name                       = "chaps-load-balancer"
   33      load_balancer_type         = "application"
   34      security_groups            = [aws_security_group.chaps_lb_sc.id]
   35      subnets                    = data.aws_subnets.shared-public.ids
   36      enable_deletion_protection = false
   37      internal                   = false
   38      depends_on                 = [aws_security_group.chaps_lb_sc]
   39    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-drop-invalid-headers
      Impact Invalid headers being passed through to the target of the load balance may exploit vulnerabilities
  Resolution Set drop_invalid_header_fields to true

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/drop-invalid-headers/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields
────────────────────────────────────────────────────────────────────────────────


Result #13 HIGH Load balancer is exposed publicly. 
────────────────────────────────────────────────────────────────────────────────
  loadbalancer.tf:37
────────────────────────────────────────────────────────────────────────────────
   31    resource "aws_lb" "chaps_lb" {
   32      name                       = "chaps-load-balancer"
   33      load_balancer_type         = "application"
   34      security_groups            = [aws_security_group.chaps_lb_sc.id]
   35      subnets                    = data.aws_subnets.shared-public.ids
   36      enable_deletion_protection = false
   37  [   internal                   = false (false)
   38      depends_on                 = [aws_security_group.chaps_lb_sc]
   39    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-elb-alb-not-public
      Impact The load balancer is exposed on the internet
  Resolution Switch to an internal load balancer or add a tfsec ignore

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/elb/alb-not-public/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
────────────────────────────────────────────────────────────────────────────────


Result #14 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:14-17
────────────────────────────────────────────────────────────────────────────────
   14    resource "aws_cloudwatch_log_group" "deployment_logs" {
   15      name              = "/aws/events/deploymentLogs"
   16      retention_in_days = "7"
   17    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


Result #15 LOW Security group explicitly uses the default description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:188-206
────────────────────────────────────────────────────────────────────────────────
  188  ┌ resource "aws_security_group" "ecs_service" {
  189  │   name_prefix = "ecs-service-sg-"
  190  │   vpc_id      = data.aws_vpc.shared.id
  191192  │   ingress {
  193  │     from_port       = 80
  194  │     to_port         = 80
  195  │     protocol        = "tcp"
  196  └     description     = "Allow traffic on port 80 from load balancer"
  ...  
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #16 LOW Security group rule does not have a description. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:200-205
────────────────────────────────────────────────────────────────────────────────
  188    resource "aws_security_group" "ecs_service" {
  ...  
  200  ┌   egress {
  201  │     from_port   = 0
  202  │     to_port     = 0
  203  │     protocol    = "-1"
  204  │     cidr_blocks = ["0.0.0.0/0"]
  205  └   }
  206    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-add-description-to-security-group-rule
      Impact Descriptions provide context for the firewall rule reasons
  Resolution Add descriptions for all security groups rules

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/ec2/add-description-to-security-group-rule/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
────────────────────────────────────────────────────────────────────────────────


Result #17 LOW Log group is not encrypted. 
────────────────────────────────────────────────────────────────────────────────
  ecs.tf:251-254
────────────────────────────────────────────────────────────────────────────────
  251    resource "aws_cloudwatch_log_group" "cloudwatch_group" {
  252      name              = "${local.application_name}-ecs"
  253      retention_in_days = 30
  254    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-cloudwatch-log-group-customer-key
      Impact Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs.
  Resolution Enable CMK encryption of CloudWatch Log Groups

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/cloudwatch/log-group-customer-key/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             507.445µs
  parsing              2.264946326s
  adaptation           1.167509ms
  checks               8.682011ms
  total                2.275303291s

  counts
  ──────────────────────────────────────────
  modules downloaded   2
  modules processed    3
  blocks processed     164
  files read           23

  results
  ──────────────────────────────────────────
  passed               39
  ignored              28
  critical             5
  high                 8
  medium               0
  low                  4

  39 passed, 28 ignored, 17 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running Checkov in terraform/environments/cdpt-chaps
2023-12-11 17:20:19,171 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 45, Failed checks: 25, Skipped checks: 2

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name          = "bastion"
		15 |   bucket_versioning    = true
		16 |   bucket_force_destroy = true
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 |   # bastion
		25 |   allow_ssh_commands = false
		26 | 
		27 |   app_name      = var.networking[0].application
		28 |   business_unit = local.vpc_name
		29 |   subnet_set    = local.subnet_set
		30 |   environment   = local.environment
		31 |   region        = "eu-west-2"
		32 | 
		33 |   extra_user_data_content = "yum install -y openldap-clients"
		34 | 
		35 |   # Tags
		36 |   tags_common = local.tags
		37 |   tags_prefix = terraform.workspace
		38 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		15 |   name              = "/aws/events/deploymentLogs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.chaps_task_definition
	File: /ecs.tf:19-57

		19 | resource "aws_ecs_task_definition" "chaps_task_definition" {
		20 |   family                   = "chapsFamily"
		21 |   requires_compatibilities = ["FARGATE"]
		22 |   network_mode             = "awsvpc"
		23 |   execution_role_arn       = aws_iam_role.app_execution.arn
		24 |   task_role_arn            = aws_iam_role.app_task.arn
		25 |   cpu                      = 1024
		26 |   memory                   = 2048
		27 |   container_definitions = jsonencode([
		28 |     {
		29 |       name      = "${local.application_name}-container"
		30 |       image     = "${local.ecr_url}:${local.application_data.accounts[local.environment].docker_image_tag}"
		31 |       cpu       = 1024
		32 |       memory    = 2048
		33 |       essential = true
		34 |       portMappings = [
		35 |         {
		36 |           containerPort = 80
		37 |           protocol      = "tcp"
		38 |           hostPort      = 80
		39 |         }
		40 |       ]
		41 |       logConfiguration = {
		42 |         logDriver = "awslogs",
		43 |         options = {
		44 |           awslogs-group = "${local.application_name}-ecs",
		45 |           awslogs-region = "eu-west-2",
		46 |           awslogs-stream-prefix = local.application_name
		47 |         }
		48 |       }
		49 |       environment = [
		50 |       ]
		51 |     }
		52 |   ])
		53 |   runtime_platform {
		54 |     operating_system_family = "WINDOWS_SERVER_2019_CORE"
		55 |     cpu_architecture        = "X86_64"
		56 |   }
		57 | }

Check: CKV_AWS_333: "Ensure ECS services do not have public IP addresses assigned to them automatically"
	FAILED for resource: aws_ecs_service.ecs_service
	File: /ecs.tf:59-83

		59 | resource "aws_ecs_service" "ecs_service" {
		60 |   depends_on = [
		61 |     aws_lb_listener.listener
		62 |   ]
		63 | 
		64 |   name                              = var.networking[0].application
		65 |   cluster                           = aws_ecs_cluster.ecs_cluster.id
		66 |   task_definition                   = aws_ecs_task_definition.chaps_task_definition.arn
		67 |   launch_type                       = "FARGATE"
		68 |   enable_execute_command            = true
		69 |   desired_count                     = 2
		70 |   health_check_grace_period_seconds = 180
		71 | 
		72 |   network_configuration {
		73 |     subnets          = data.aws_subnets.shared-public.ids
		74 |     security_groups  = [aws_security_group.ecs_service.id]
		75 |     assign_public_ip = true
		76 |   }
		77 | 
		78 |   load_balancer {
		79 |     target_group_arn = aws_lb_target_group.chaps_target_group.arn
		80 |     container_name   = "${local.application_name}-container"
		81 |     container_port   = 80
		82 |   }
		83 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:112-135

		112 | resource "aws_iam_role_policy" "app_execution" {
		113 |   name = "execution-${var.networking[0].application}"
		114 |   role = aws_iam_role.app_execution.id
		115 | 
		116 |   policy = <<-EOF
		117 |   {
		118 |     "Version": "2012-10-17",
		119 |     "Statement": [
		120 |       {
		121 |            "Action": [
		122 |               "ecr:*",
		123 |               "logs:CreateLogGroup",
		124 |               "logs:CreateLogStream",
		125 |               "logs:PutLogEvents",
		126 |               "logs:DescribeLogStreams",
		127 |               "secretsmanager:GetSecretValue"
		128 |            ],
		129 |            "Resource": "*",
		130 |            "Effect": "Allow"
		131 |       }
		132 |     ]
		133 |   }
		134 |   EOF
		135 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:188-206
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		188 | resource "aws_security_group" "ecs_service" {
		189 |   name_prefix = "ecs-service-sg-"
		190 |   vpc_id      = data.aws_vpc.shared.id
		191 | 
		192 |   ingress {
		193 |     from_port       = 80
		194 |     to_port         = 80
		195 |     protocol        = "tcp"
		196 |     description     = "Allow traffic on port 80 from load balancer"
		197 |     security_groups = [aws_security_group.chaps_lb_sc.id]
		198 |   }
		199 | 
		200 |   egress {
		201 |     from_port   = 0
		202 |     to_port     = 0
		203 |     protocol    = "-1"
		204 |     cidr_blocks = ["0.0.0.0/0"]
		205 |   }
		206 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:251-254

		251 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		252 |   name              = "${local.application_name}-ecs"
		253 |   retention_in_days = 30
		254 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:251-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		251 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		252 |   name              = "${local.application_name}-ecs"
		253 |   retention_in_days = 30
		254 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_security_group.chaps_lb_sc
	File: /loadbalancer.tf:1-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		1  | resource "aws_security_group" "chaps_lb_sc" {
		2  |   name        = "load balancer security group"
		3  |   description = "control access to the load balancer"
		4  |   vpc_id      = data.aws_vpc.shared.id
		5  | 
		6  |   ingress {
		7  |     description = "allow access on HTTP"
		8  |     from_port   = 80
		9  |     to_port     = 80
		10 |     protocol    = "tcp"
		11 |     cidr_blocks = ["0.0.0.0/0"]
		12 |   }
		13 | 
		14 |   ingress {
		15 |     description = "allow access on HTTPS"
		16 |     from_port   = 443
		17 |     to_port     = 443
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     description = "allow all outbound traffic for port 80"
		24 |     from_port   = 80
		25 |     to_port     = 80
		26 |     protocol    = "tcp"
		27 |     cidr_blocks = ["0.0.0.0/0"]
		28 |   }
		29 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_62

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.chaps_target_group
	File: /loadbalancer.tf:41-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		41 | resource "aws_lb_target_group" "chaps_target_group" {
		42 |   name                 = "chaps-target-group"
		43 |   port                 = 80
		44 |   protocol             = "HTTP"
		45 |   vpc_id               = data.aws_vpc.shared.id
		46 |   target_type          = "ip"
		47 |   deregistration_delay = 30
		48 | 
		49 |   stickiness {
		50 |     type = "lb_cookie"
		51 |   }
		52 | 
		53 |   health_check {
		54 |     healthy_threshold   = "3"
		55 |     interval            = "30"
		56 |     protocol            = "HTTP"
		57 |     port                = "80"
		58 |     unhealthy_threshold = "5"
		59 |     matcher             = "200-499"
		60 |     timeout             = "10"
		61 |   }
		62 | 
		63 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.listener
	File: /loadbalancer.tf:65-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		65 | resource "aws_lb_listener" "listener" {
		66 |   #checkov:skip=CKV_AWS_103
		67 |   load_balancer_arn = aws_lb.chaps_lb.arn
		68 |   port              = 80
		69 |   protocol          = "HTTP"
		70 | 
		71 |   default_action {
		72 |     target_group_arn = aws_lb_target_group.chaps_target_group.id
		73 |     type             = "forward"
		74 |   }
		75 | }

Check: CKV2_AWS_20: "Ensure that ALB redirects HTTP requests into HTTPS ones"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-redirects-http-requests-into-https-ones

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.chaps_lb
	File: /loadbalancer.tf:31-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		31 | resource "aws_lb" "chaps_lb" {
		32 |   name                       = "chaps-load-balancer"
		33 |   load_balancer_type         = "application"
		34 |   security_groups            = [aws_security_group.chaps_lb_sc.id]
		35 |   subnets                    = data.aws_subnets.shared-public.ids
		36 |   enable_deletion_protection = false
		37 |   internal                   = false
		38 |   depends_on                 = [aws_security_group.chaps_lb_sc]
		39 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:164-186

		164 | resource "aws_iam_role_policy" "app_task" {
		165 |   name = "task-${var.networking[0].application}"
		166 |   role = aws_iam_role.app_task.id
		167 | 
		168 |   policy = <<-EOF
		169 |   {
		170 |    "Version": "2012-10-17",
		171 |    "Statement": [
		172 |      {
		173 |        "Effect": "Allow",
		174 |         "Action": [
		175 |           "logs:CreateLogStream",
		176 |           "logs:PutLogEvents",
		177 |           "ecr:*",
		178 |           "iam:*",
		179 |           "ec2:*"
		180 |         ],
		181 |        "Resource": "*"
		182 |      }
		183 |    ]
		184 |   }
		185 |   EOF
		186 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/cdpt-chaps

*****************************

Running tflint in terraform/environments/cdpt-chaps
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

@vertism vertism marked this pull request as ready for review December 12, 2023 11:11
@vertism vertism requested review from a team as code owners December 12, 2023 11:11
@vertism vertism merged commit 39510bf into main Dec 12, 2023
12 of 14 checks passed
@vertism vertism deleted the chaps-https branch December 12, 2023 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roncitrus roncitrus roncitrus approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vertism @roncitrus