Cooker - Test PR to confirm issues with local plan still persist.

[mikereiddigital]

Fully self-contained example of ec2 module use - #1

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Results #1-19 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource '132a874f-7632-45f3-afb8-d52dc9522a1d/' (19 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/landing_zone_user/main.tf:57
via modules/landing_zone/main.tf:352-362 (module.landing_zone_users["0"])
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
46 data "aws_iam_policy_document" "this_transfer_user" {
..
57 [ resources = ["${var.landing_bucket.arn}/"]
..
59 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/landing_zone_user/main.tf:1-25 (module.capita) 19 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #20-22 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource '132a874f-7632-45f3-afb8-d52dc9522a1d/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:294
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
294 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #23-25 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'db620b2b-4270-43a3-a3cb-e85c39e5c46f/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:303
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
303 [ resources = ["${var.data_store_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #26-31 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource 'db620b2b-4270-43a3-a3cb-e85c39e5c46f/' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:323-326
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
323 ┌ resources = [
324 │ "${var.data_store_bucket.arn}/",
325 │ "${aws_s3_bucket.landing_bucket.arn}/*",
326 └ ]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 6 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #32-34 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource '132a874f-7632-45f3-afb8-d52dc9522a1d/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:336
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
336 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #35-37 HIGH Bucket does not encrypt data with a customer managed key. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:37-45
via main.tf:51-81 (module.g4s)
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:51-81 (module.g4s)
• modules/landing_zone/main.tf:27-49 (module.civica)
• modules/landing_zone/main.tf:1-25 (module.capita)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #38-41 HIGH Bucket does not encrypt data with a customer managed key. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:17-25
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
17 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
18 bucket = aws_s3_bucket.this.id
19
20 rule {
21 apply_server_side_encryption_by_default {
22 sse_algorithm = "AES256"
23 }
24 }
25 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
• modules/s3_log_bucket/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #42 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
s3.tf:20-28
────────────────────────────────────────────────────────────────────────────────
20 resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
21 bucket = aws_s3_bucket.data_store.id
22
23 rule {
24 apply_server_side_encryption_by_default {
25 sse_algorithm = "AES256"
26 }
27 }
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #43-45 MEDIUM Bucket does not have versioning enabled (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:84
via main.tf:51-81 (module.g4s)
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:51-81 (module.g4s)
• modules/landing_zone/main.tf:1-25 (module.capita)
• modules/landing_zone/main.tf:27-49 (module.civica)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-versioning
  Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Results #46-49 MEDIUM Bucket does not have logging enabled (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:2-8
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:27-49 (module.civica)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:1-25 (module.capita)
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
• modules/s3_log_bucket/main.tf:51-81 (module.g4s)
• modules/s3_log_bucket/main.tf:27-49 (module.civica)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-bucket-logging
  Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 1.853582ms
parsing 155.422566ms
adaptation 28.628617ms
checks 10.461519ms
total 196.366284ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 46
blocks processed 562
files read 125

results
──────────────────────────────────────────
passed 180
ignored 0
critical 0
high 42
medium 7
low 0

180 passed, 49 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 450, Failed checks: 40, Skipped checks: 0

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.civica.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /s3.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Failed

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/electronic-monitoring-data

---

Running TFSEC in terraform/environments/electronic-monitoring-data
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

Result #1 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'e3166581-e50b-4749-998c-fa08c4bc4108/'
────────────────────────────────────────────────────────────────────────────────
data_store.tf:164
────────────────────────────────────────────────────────────────────────────────
148 data "aws_iam_policy_document" "calculate_checksum_lambda" {
...
164 [ resources = ["${aws_s3_bucket.data_store.arn}/"]
...
166 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Result #2 HIGH Bucket does not encrypt data with a customer managed key.
────────────────────────────────────────────────────────────────────────────────
data_store.tf:20-28
────────────────────────────────────────────────────────────────────────────────
20 resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
21 bucket = aws_s3_bucket.data_store.id
22
23 rule {
24 apply_server_side_encryption_by_default {
25 sse_algorithm = "AES256"
26 }
27 }
28 }
────────────────────────────────────────────────────────────────────────────────
ID aws-s3-encryption-customer-key
Impact Using AWS managed keys does not allow for fine grained control
Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Result #3 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource 'e3166581-e50b-4749-998c-fa08c4bc4108/'
────────────────────────────────────────────────────────────────────────────────
data_store.tf:216
────────────────────────────────────────────────────────────────────────────────
207 data "aws_iam_policy_document" "summarise_zip_lambda" {
...
216 [ resources = ["${aws_s3_bucket.data_store.arn}/"]
...
218 }
────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #4-15 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'e1ace58f-1453-4603-8cbc-c0e5dcab7f8b/' (12 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/landing_zone_user/main.tf:57
via modules/landing_zone/main.tf:352-362 (module.landing_zone_users["0"])
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
46 data "aws_iam_policy_document" "this_transfer_user" {
..
57 [ resources = ["${var.landing_bucket.arn}/"]
..
59 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/landing_zone_user/main.tf:1-25 (module.capita) 12 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #16-18 HIGH IAM policy document uses sensitive action 's3:GetObject' on wildcarded resource 'e1ace58f-1453-4603-8cbc-c0e5dcab7f8b/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:294
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
294 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #19-21 HIGH IAM policy document uses sensitive action 's3:PutObject' on wildcarded resource 'e3166581-e50b-4749-998c-fa08c4bc4108/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:303
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
303 [ resources = ["${var.data_store_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #22-27 HIGH IAM policy document uses sensitive action 's3:PutObjectTagging' on wildcarded resource 'e3166581-e50b-4749-998c-fa08c4bc4108/' (6 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:323-326
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
323 ┌ resources = [
324 │ "${var.data_store_bucket.arn}/",
325 │ "${aws_s3_bucket.landing_bucket.arn}/*",
326 └ ]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 6 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #28-30 HIGH IAM policy document uses sensitive action 's3:DeleteObject' on wildcarded resource 'e1ace58f-1453-4603-8cbc-c0e5dcab7f8b/' (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:336
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
286 data "aws_iam_policy_document" "this_transfer_workflow" {
...
336 [ resources = ["${aws_s3_bucket.landing_bucket.arn}/"]
...
338 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:1-25 (module.capita) 3 instances
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-iam-no-policy-wildcards
  Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
  ────────────────────────────────────────────────────────────────────────────────

Results #31-33 HIGH Bucket does not encrypt data with a customer managed key. (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:37-45
via main.tf:51-81 (module.g4s)
────────────────────────────────────────────────────────────────────────────────
37 resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
38 bucket = aws_s3_bucket.landing_bucket.id
39
40 rule {
41 apply_server_side_encryption_by_default {
42 sse_algorithm = "AES256"
43 }
44 }
45 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:51-81 (module.g4s)
• modules/landing_zone/main.tf:27-49 (module.civica)
• modules/landing_zone/main.tf:1-25 (module.capita)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #34-37 HIGH Bucket does not encrypt data with a customer managed key. (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:17-25
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
17 resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
18 bucket = aws_s3_bucket.this.id
19
20 rule {
21 apply_server_side_encryption_by_default {
22 sse_algorithm = "AES256"
23 }
24 }
25 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:1-25 (module.capita) 3 instances
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-encryption-customer-key
  Impact Using AWS managed keys does not allow for fine grained control
  Resolution Enable encryption using customer managed keys

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/encryption-customer-key/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
  ────────────────────────────────────────────────────────────────────────────────

Results #38-40 MEDIUM Bucket does not have versioning enabled (3 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/landing_zone/main.tf:84
via main.tf:27-49 (module.civica)
────────────────────────────────────────────────────────────────────────────────
81 resource "aws_s3_bucket_versioning" "landing_bucket" {
82 bucket = aws_s3_bucket.landing_bucket.id
83 versioning_configuration {
84 [ status = "Disabled"
85 }
86 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/landing_zone/main.tf:27-49 (module.civica)
• modules/landing_zone/main.tf:1-25 (module.capita)
• modules/landing_zone/main.tf:51-81 (module.g4s)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-versioning
  Impact Deleted or modified data would not be recoverable
  Resolution Enable versioning to protect against accidental/malicious removal or modification

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-versioning/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning
  ────────────────────────────────────────────────────────────────────────────────

Results #41-44 MEDIUM Bucket does not have logging enabled (4 similar results)
────────────────────────────────────────────────────────────────────────────────
modules/s3_log_bucket/main.tf:2-8
via modules/landing_zone/main.tf:105-113 (module.log_bucket)
via main.tf:1-25 (module.capita)
────────────────────────────────────────────────────────────────────────────────
2 resource "aws_s3_bucket" "this" {
3 bucket = "${var.source_bucket.id}-logs"
4
5 force_destroy = true
6
7 tags = var.tags
8 }
────────────────────────────────────────────────────────────────────────────────
Individual Causes

• modules/s3_log_bucket/main.tf:1-25 (module.capita)
• modules/s3_log_bucket/main.tf:27-49 (module.civica)
• modules/s3_log_bucket/main.tf:51-81 (module.g4s)
• modules/s3_log_bucket/main.tf:5-10 (module.data_store_log_bucket)
  ────────────────────────────────────────────────────────────────────────────────
  ID aws-s3-enable-bucket-logging
  Impact There is no way to determine the access to this bucket
  Resolution Add a logging block to the resource to enable access logging

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/s3/enable-bucket-logging/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
  ────────────────────────────────────────────────────────────────────────────────

Result #45 LOW Function does not have tracing enabled.
────────────────────────────────────────────────────────────────────────────────
data_store.tf:126-140
────────────────────────────────────────────────────────────────────────────────
126 ┌ resource "aws_lambda_function" "calculate_checksum_lambda" {
127 │ filename = "calculate_checksum_lambda.zip"
128 │ function_name = "calculate-checksum-lambda"
129 │ role = aws_iam_role.calculate_checksum_lambda.arn
130 │ handler = "calculate_checksum_lambda.handler"
131 │ runtime = "python3.12"
132 │ memory_size = 1024
133 │ timeout = 900
134 └
...
────────────────────────────────────────────────────────────────────────────────
ID aws-lambda-enable-tracing
Impact Without full tracing enabled it is difficult to trace the flow of logs
Resolution Enable tracing

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/lambda/enable-tracing/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode
  ────────────────────────────────────────────────────────────────────────────────

Result #46 LOW Function does not have tracing enabled.
────────────────────────────────────────────────────────────────────────────────
data_store.tf:192-199
────────────────────────────────────────────────────────────────────────────────
192 resource "aws_lambda_function" "summarise_zip_lambda" {
193 filename = "summarise_zip_lambda.zip"
194 function_name = "summarise-zip-lambda"
195 role = aws_iam_role.summarise_zip_lambda.arn
196 handler = "summarise_zip_lambda.handler"
197 runtime = "python3.12"
198 timeout = 600
199 }
────────────────────────────────────────────────────────────────────────────────
ID aws-lambda-enable-tracing
Impact Without full tracing enabled it is difficult to trace the flow of logs
Resolution Enable tracing

More Information

• https://aquasecurity.github.io/tfsec/latest/checks/aws/lambda/enable-tracing/
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode
  ────────────────────────────────────────────────────────────────────────────────

timings
──────────────────────────────────────────
disk i/o 1.434696ms
parsing 111.618927ms
adaptation 19.000865ms
checks 5.42289ms
total 137.477378ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 32
blocks processed 437
files read 90

results
──────────────────────────────────────────
passed 167
ignored 0
critical 0
high 37
medium 7
low 2

167 passed, 46 potential problem(s) detected.

tfsec_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
terraform scan results:

Passed checks: 504, Failed checks: 50, Skipped checks: 0

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:126-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		126 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		127 |   filename      = "calculate_checksum_lambda.zip"
		128 |   function_name = "calculate-checksum-lambda"
		129 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		130 |   handler       = "calculate_checksum_lambda.handler"
		131 |   runtime       = "python3.12"
		132 |   memory_size   = 1024
		133 |   timeout       = 900
		134 | 
		135 |   environment {
		136 |     variables = {
		137 |       Checksum = var.checksum_algorithm
		138 |     }
		139 |   }
		140 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:192-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		192 | resource "aws_lambda_function" "summarise_zip_lambda" {
		193 |   filename      = "summarise_zip_lambda.zip"
		194 |   function_name = "summarise-zip-lambda"
		195 |   role          = aws_iam_role.summarise_zip_lambda.arn
		196 |   handler       = "summarise_zip_lambda.handler"
		197 |   runtime       = "python3.12"
		198 |   timeout       = 600
		199 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.civica.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 |   
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = {
		17 |     supplier = var.user_name
		18 |   }
		19 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:16-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		16 | resource "aws_s3_bucket" "data_store" {
		17 |   bucket_prefix = "em-data-store-"
		18 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = {
		33 |     supplier = var.supplier
		34 |   }
		35 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.capita.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.civica.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2 | resource "aws_s3_bucket" "this" {
		3 |   bucket = "${var.source_bucket.id}-logs"
		4 | 
		5 |   force_destroy = true
		6 | 
		7 |   tags = var.tags
		8 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 115:
 115: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 179:
 179:   source_arn    = "${aws_s3_bucket.data_store.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 186:
 186: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 231:
 231:   source_arn    = "${aws_s3_bucket.data_store.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:
terraform/environments/hmpps-domain-services

---

Running TFSEC in terraform/environments/hmpps-domain-services
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 1.757704ms
parsing 165.870392ms
adaptation 127.479µs
checks 10.263109ms
total 178.018684ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 5
blocks processed 293
files read 77

results
──────────────────────────────────────────
passed 1
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running Checkov in terraform/environments/hmpps-domain-services
2024-02-16 15:18:48,165 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-lambda-function:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 131, Failed checks: 1, Skipped checks: 20

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ad-clean-up-lambda
	File: /lambda.tf:7-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		7  | module "ad-clean-up-lambda" {
		8  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" # ref for V3.1
		9  |   count  = local.environment == "development" ? 1 : 0   # temporary
		10 | 
		11 | 
		12 |   application_name = local.lambda_ad_object_cleanup.function_name
		13 |   function_name    = local.lambda_ad_object_cleanup.function_name
		14 |   description      = "Lambda to remove corresponding computer object from Active Directory upon server termination"
		15 |   package_type     = "Zip"
		16 |   filename         = data.archive_file.ad-cleanup-lambda.output_path
		17 |   source_code_hash = data.archive_file.ad-cleanup-lambda.output_base64sha256
		18 |   handler          = "lambda_function.lambda_handler"
		19 |   runtime          = "python3.8"
		20 | 
		21 |   create_role = false
		22 |   lambda_role = aws_iam_role.lambda-ad-role[count.index].arn
		23 | 
		24 |   vpc_subnet_ids         = tolist(data.aws_subnets.shared-private.ids)
		25 |   vpc_security_group_ids = [module.baseline.security_groups["domain"].id]
		26 | 
		27 |   tags = merge(
		28 |     local.tags,
		29 |     {
		30 |       Name = "ad-clean-up-lambda"
		31 |     },
		32 |   )
		33 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running tflint in terraform/environments/hmpps-domain-services
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" is not pinned (terraform_module_pinned_source)

  on terraform/environments/hmpps-domain-services/lambda.tf line 8:
   8:   source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" # ref for V3.1

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/hmpps-domain-services/lambda.tf line 35:
  35: data "archive_file" "ad-cleanup-lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output

[github-actions]

TFSEC Scan Success

Show Output

```hcl

---

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

Trivy Scan

Show Output