Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chaps - restore preproduction certificate config #4717

Merged
merged 4 commits into from
Jan 29, 2024
Merged

Chaps - restore preproduction certificate config #4717

merged 4 commits into from
Jan 29, 2024

Conversation

vertism
Copy link
Contributor

@vertism vertism commented Jan 29, 2024
edited
Loading

No description provided.

@vertism vertism requested review from a team as code owners January 29, 2024 11:07
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 29, 2024
@github-actions GitHub Actions
Copy link
Contributor

TFSEC Scan Failed

Show Output ```hcl

TFSEC will check the following folders:
terraform/environments/data-platform-apps-and-tools

Running TFSEC in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:12
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:19
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:26
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-no-public-egress-sgr
Impact Your port is egressing data to the internet
Resolution Set a more restrictive cidr range

More Information

Result #4 HIGH Instance does not require IMDS access to require a token
────────────────────────────────────────────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125
via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)
────────────────────────────────────────────────────────────────────────────────
21 resource "aws_instance" "this" {
..
125 [ http_tokens = try(metadata_options.value.http_tokens, "optional") ("optional")
...
193 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-enforce-http-token-imds
Impact Instance metadata service can be interacted with freely
Resolution Enable HTTP token requirement for IMDS

More Information

Result #5 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #6 MEDIUM Instance does not have IAM Authentication enabled
────────────────────────────────────────────────────────────────────────────────
../../../../../terraform-aws-modules/rds/aws/modules/db_instance/main.tf:50
────────────────────────────────────────────────────────────────────────────────
Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/terraform-aws-modules/rds/aws/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────
Rego Package builtin.aws.rds.aws0176
Rego Rule deny
────────────────────────────────────────────────────────────────────────────────

Result #7 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:15-20
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
15 ┌ egress {
16 │ from_port = 5671
17 │ to_port = 5672
18 │ protocol = "tcp"
19 │ cidr_blocks = ["0.0.0.0/0"]
20 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

Result #8 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:22-27
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
22 ┌ egress {
23 │ from_port = 9352
24 │ to_port = 9354
25 │ protocol = "tcp"
26 │ cidr_blocks = ["0.0.0.0/0"]
27 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

Result #9 LOW Security group rule does not have a description.
────────────────────────────────────────────────────────────────────────────────
powerbi-gateway-security-group.tf:8-13
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
8 ┌ egress {
9 │ from_port = 443
10 │ to_port = 443
11 │ protocol = "tcp"
12 │ cidr_blocks = ["0.0.0.0/0"]
13 └ }
..
30 }
────────────────────────────────────────────────────────────────────────────────
ID aws-ec2-add-description-to-security-group-rule
Impact Descriptions provide context for the firewall rule reasons
Resolution Add descriptions for all security groups rules

More Information

timings
──────────────────────────────────────────
disk i/o 7.684597ms
parsing 11.919457953s
adaptation 37.259873ms
checks 41.219931ms
total 12.005622354s

counts
──────────────────────────────────────────
modules downloaded 32
modules processed 58
blocks processed 4123
files read 300

results
──────────────────────────────────────────
passed 113
ignored 24
critical 3
high 1
medium 2
low 3

113 passed, 24 ignored, 9 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
2024-01-29 11:10:06,127 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 2.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,127 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,128 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,128 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,128 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,128 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,128 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,128 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,129 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,129 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,129 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,129 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,129 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,129 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,130 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,130 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,130 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:10:06,130 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 146, Failed checks: 22, Skipped checks: 44

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output 



      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
        





      

  
          

  

  
  

  
      @vertism
  vertism


            had a problem deploying
      to
        cdpt-chaps-development



    January 29, 2024 11:13      — with 
GitHub Actions

                
    Failure


    










      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Failed


Show Output
```hcl



TFSEC will check the following folders:

terraform/environments/data-platform-apps-and-tools




Running TFSEC in terraform/environments/data-platform-apps-and-tools

Excluding the following checks: AWS095


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


Result #1 CRITICAL Security group rule allows egress to multiple public internet addresses.

────────────────────────────────────────────────────────────────────────────────

powerbi-gateway-security-group.tf:12

────────────────────────────────────────────────────────────────────────────────

2    resource "aws_security_group" "powerbi_gateway" {

.

12  [     cidr_blocks = ["0.0.0.0/0"]

..

30    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-egress-sgr

Impact Your port is egressing data to the internet

Resolution Set a more restrictive cidr range


More Information



Result #2 CRITICAL Security group rule allows egress to multiple public internet addresses.

────────────────────────────────────────────────────────────────────────────────

powerbi-gateway-security-group.tf:19

────────────────────────────────────────────────────────────────────────────────

2    resource "aws_security_group" "powerbi_gateway" {

.

19  [     cidr_blocks = ["0.0.0.0/0"]

..

30    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-egress-sgr

Impact Your port is egressing data to the internet

Resolution Set a more restrictive cidr range


More Information



Result #3 CRITICAL Security group rule allows egress to multiple public internet addresses.

────────────────────────────────────────────────────────────────────────────────

powerbi-gateway-security-group.tf:26

────────────────────────────────────────────────────────────────────────────────

2    resource "aws_security_group" "powerbi_gateway" {

.

26  [     cidr_blocks = ["0.0.0.0/0"]

..

30    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-no-public-egress-sgr

Impact Your port is egressing data to the internet

Resolution Set a more restrictive cidr range


More Information



Result #4 HIGH Instance does not require IMDS access to require a token

────────────────────────────────────────────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125

via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)

────────────────────────────────────────────────────────────────────────────────

21    resource "aws_instance" "this" {

..

125  [       http_tokens                 = try(metadata_options.value.http_tokens, "optional") ("optional")

...

193    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-enforce-http-token-imds

Impact Instance metadata service can be interacted with freely

Resolution Enable HTTP token requirement for IMDS


More Information



Result #5 MEDIUM Instance does not have IAM Authentication enabled

────────────────────────────────────────────────────────────────────────────────

../../../../../git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf:50

────────────────────────────────────────────────────────────────────────────────

Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/git::https:/github.com/terraform-aws-modules/terraform-aws-rds?ref=ec9c2e37ccca2a41aeb89ba78f858270a9ac9381/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────

Rego Package builtin.aws.rds.aws0176

Rego Rule deny

────────────────────────────────────────────────────────────────────────────────


Result #6 MEDIUM Instance does not have IAM Authentication enabled

────────────────────────────────────────────────────────────────────────────────

../../../../../terraform-aws-modules/rds/aws/modules/db_instance/main.tf:50

────────────────────────────────────────────────────────────────────────────────

Failed to render code: failed to read file from result filesystem ("/tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3"): open /tmp/.aqua/cache/1b3efecb3344a208e0ae01a1156bf6c3/terraform-aws-modules/rds/aws/modules/db_instance/main.tf: no such file or directory────────────────────────────────────────────────────────────────────────────────

Rego Package builtin.aws.rds.aws0176

Rego Rule deny

────────────────────────────────────────────────────────────────────────────────


Result #7 LOW Security group rule does not have a description.

────────────────────────────────────────────────────────────────────────────────

powerbi-gateway-security-group.tf:15-20

────────────────────────────────────────────────────────────────────────────────

2    resource "aws_security_group" "powerbi_gateway" {

.

15  ┌   egress {

16  │     from_port   = 5671

17  │     to_port     = 5672

18  │     protocol    = "tcp"

19  │     cidr_blocks = ["0.0.0.0/0"]

20  └   }

..

30    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-add-description-to-security-group-rule

Impact Descriptions provide context for the firewall rule reasons

Resolution Add descriptions for all security groups rules


More Information



Result #8 LOW Security group rule does not have a description.

────────────────────────────────────────────────────────────────────────────────

powerbi-gateway-security-group.tf:22-27

────────────────────────────────────────────────────────────────────────────────

2    resource "aws_security_group" "powerbi_gateway" {

.

22  ┌   egress {

23  │     from_port   = 9352

24  │     to_port     = 9354

25  │     protocol    = "tcp"

26  │     cidr_blocks = ["0.0.0.0/0"]

27  └   }

..

30    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-add-description-to-security-group-rule

Impact Descriptions provide context for the firewall rule reasons

Resolution Add descriptions for all security groups rules


More Information



Result #9 LOW Security group rule does not have a description.

────────────────────────────────────────────────────────────────────────────────

powerbi-gateway-security-group.tf:8-13

────────────────────────────────────────────────────────────────────────────────

2    resource "aws_security_group" "powerbi_gateway" {

.

8  ┌   egress {

9  │     from_port   = 443

10  │     to_port     = 443

11  │     protocol    = "tcp"

12  │     cidr_blocks = ["0.0.0.0/0"]

13  └   }

..

30    }

────────────────────────────────────────────────────────────────────────────────

ID aws-ec2-add-description-to-security-group-rule

Impact Descriptions provide context for the firewall rule reasons

Resolution Add descriptions for all security groups rules


More Information



timings

──────────────────────────────────────────

disk i/o             7.684305ms

parsing              17.526752879s

adaptation           23.973356ms

checks               62.0075ms

total                17.62041804s


counts

──────────────────────────────────────────

modules downloaded   32

modules processed    58

blocks processed     4123

files read           300


results

──────────────────────────────────────────

passed               113

ignored              24

critical             3

high                 1

medium               2

low                  3


113 passed, 24 ignored, 9 potential problem(s) detected.


tfsec_exitcode=1


</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
2024-01-29 11:13:57,938 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 2.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,938 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,938 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,938 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,938 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,939 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,939 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,939 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,939 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,939 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,939 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,939 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,940 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,940 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,940 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,940 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,940 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-01-29 11:13:57,940 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 146, Failed checks: 22, Skipped checks: 44

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security groups rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
	FAILED for resource: aws_route53_zone.apps_tools
	File: /route53.tf:1-3

		1 | resource "aws_route53_zone" "apps_tools" {
		2 |   name = local.environment_configuration.route53_zone
		3 | }


checkov_exitcode=1





CTFLint Scan Failed


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
        





      

  
            

    

      
    

    


      

          @vertism
vertism




        changed the title
Chaps - create new staging cert

Chaps - restore preproduction certificate config


      Jan 29, 2024

    

  



  

  

  
  

  
      @vertism
  vertism


            had a problem deploying
      to
        cdpt-chaps-development



    January 29, 2024 11:32      — with 
GitHub Actions

                
    Failure


    










      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:

terraform/environments/corporate-staff-rostering terraform/environments/nomis terraform/modules/baseline_presets




Running TFSEC in terraform/environments/corporate-staff-rostering

Excluding the following checks: AWS095


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


timings

──────────────────────────────────────────

disk i/o             1.764188ms

parsing              257.642716ms

adaptation           123.772µs

checks               3.413061ms

total                262.943737ms


counts

──────────────────────────────────────────

modules downloaded   0

modules processed    5

blocks processed     282

files read           74


results

──────────────────────────────────────────

passed               1

ignored              0

critical             0

high                 0

medium               0

low                  0


No problems detected!


tfsec_exitcode=0




Running TFSEC in terraform/environments/nomis

Excluding the following checks: AWS095


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


timings

──────────────────────────────────────────

disk i/o             1.807291ms

parsing              239.4849ms

adaptation           386.498µs

checks               4.219518ms

total                245.898207ms


counts

──────────────────────────────────────────

modules downloaded   0

modules processed    6

blocks processed     288

files read           78


results

──────────────────────────────────────────

passed               37

ignored              4

critical             0

high                 0

medium               0

low                  0


No problems detected!


tfsec_exitcode=0




Running TFSEC in terraform/modules/baseline_presets

Excluding the following checks: AWS095


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


timings

──────────────────────────────────────────

disk i/o             397.979µs

parsing              20.01788ms

adaptation           79.951µs

checks               8.586227ms

total                29.082037ms


counts

──────────────────────────────────────────

modules downloaded   0

modules processed    1

blocks processed     45

files read           20


results

──────────────────────────────────────────

passed               0

ignored              0

critical             0

high                 0

medium               0

low                  0


No problems detected!


tfsec_exitcode=0


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/nomis terraform/modules/baseline_presets

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 111, Failed checks: 0, Skipped checks: 20


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/nomis
terraform scan results:

Passed checks: 134, Failed checks: 0, Skipped checks: 23


checkov_exitcode=0

*****************************

Running Checkov in terraform/modules/baseline_presets

checkov_exitcode=0





CTFLint Scan Failed


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering terraform/environments/nomis terraform/modules/baseline_presets

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/baseline_presets
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 1:
   1: variable "environment" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `ip_addresses` variable has no type (terraform_typed_variables)

  on terraform/modules/baseline_presets/variables.tf line 7:
   7: variable "ip_addresses" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=2




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
          

  

  
  

  
      @vertism
  vertism


            had a problem deploying
      to
        cdpt-chaps-development



    January 29, 2024 14:58      — with 
GitHub Actions

                
    Error


    





  

  

  
  

  
      @vertism
  vertism


            had a problem deploying
      to
        cdpt-chaps-development



    January 29, 2024 14:59      — with 
GitHub Actions

                
    Error


    










      

  
        





      

  
          

  

  
  

  
      @vertism
  vertism


            had a problem deploying
      to
        cdpt-chaps-development



    January 29, 2024 15:03      — with 
GitHub Actions

                
    Failure


    










      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:


</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
        





      

  
          

  

    
  

  


        
        @vertism
  vertism



        merged commit 36e28df
      into

      
  
    main
  


    Jan 29, 2024

      

        13 of 14 checks passed
      


      

        
          
  
    
    

        
      

  







  

  
  

  
      @vertism
  vertism


    
    deleted the
    
      
        chaps-fix-staging-certificate
    
    branch

    January 29, 2024 16:27    
    













  
  

    

      

  




    


    

      

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



      

    

  




  
          




      

  

    
    

    
  

    Reviewers
  


    


        

          

  
      @roncitrus
  
    roncitrus



          
            
              
            
          
          roncitrus approved these changes

        


      






    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    environments-repository

  Used to exclude PRs from this repo in our Slack PR update








      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    
      

        
    

    Development
  



          


Successfully merging this pull request may close these issues.



  


    
  




      

    

  
      

  

    

      2 participants
    

    

        
          @vertism 
        
          @roncitrus