🛂 Airflow repository access to APC #6558

jacobwoffenden · 2024-06-12T16:09:00Z

This pull request:

Is part of 🚚 Convert Kube2IAM-based Airflow pod to using IRSA, and capture process analytical-platform#4319
Is being tested in https://github.com/moj-analytical-services/airflow/pull/3605
Adds GitHub assumable role for https://github.com/moj-analytical-services/airflow
Creates Kubernetes role and role binding for SA management in Airflow namespace
Adds EKS access entry for role

Signed-off-by: Jacob Woffenden [email protected]

Signed-off-by: Jacob Woffenden <[email protected]>

github-actions · 2024-06-12T16:11:45Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute terraform/environments/tipstaff

Running Trivy in terraform/environments/analytical-platform-compute
2024-06-12T16:11:10Z INFO Need to update DB
2024-06-12T16:11:10Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-12T16:11:12Z INFO Vulnerability scanning is enabled
2024-06-12T16:11:12Z INFO Misconfiguration scanning is enabled
2024-06-12T16:11:12Z INFO Need to update the built-in policies
2024-06-12T16:11:12Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-12T16:11:12Z INFO Secret scanning is enabled
2024-06-12T16:11:12Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-12T16:11:12Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-12T16:11:29Z INFO Number of language-specific files num=0
2024-06-12T16:11:29Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

Tests: 22 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam-policies.tf (terraform)

Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

Running Trivy in terraform/environments/tipstaff
2024-06-12T16:11:29Z INFO Vulnerability scanning is enabled
2024-06-12T16:11:29Z INFO Misconfiguration scanning is enabled
2024-06-12T16:11:29Z INFO Secret scanning is enabled
2024-06-12T16:11:29Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-12T16:11:29Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-12T16:11:36Z INFO Number of language-specific files num=0
2024-06-12T16:11:36Z INFO Detected config files num=7

ecs.tf (terraform)

Tests: 13 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 6)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
ecs.tf:355-358
────────────────────────────────────────
355 ┌ resource "aws_ecr_repository" "tipstaff_ecr_repo" {
356 │ name = "tipstaff-ecr-repo"
357 │ force_delete = true
358 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:454-457
────────────────────────────────────────
454 ┌ resource "aws_sns_topic" "ddos_alarm" {
455 │ count = local.is-development ? 0 : 1
456 │ name = "tipstaff_ddos_alarm"
457 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:459-462
────────────────────────────────────────
459 ┌ resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
460 │ count = local.is-development ? 0 : 1
461 │ name = "tipstaff_utilisation_alarm"
462 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:351
via ecs.tf:347-352 (egress)
via ecs.tf:335-353 (aws_security_group.ecs_service)
────────────────────────────────────────
335 resource "aws_security_group" "ecs_service" {
...
351 [ cidr_blocks = ["0.0.0.0/0"]
...
353 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

load_balancer.tf (terraform)

Tests: 12 (SUCCESSES: 7, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 2, CRITICAL: 3)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
load_balancer.tf:238-246
────────────────────────────────────────
238 ┌ resource "aws_lb" "tipstaff_lb" {
239 │ name = "tipstaff-load-balancer"
240 │ load_balancer_type = "application"
241 │ security_groups = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
242 │ subnets = data.aws_subnets.shared-public.ids
243 │ enable_deletion_protection = false
244 │ internal = false
245 │ depends_on = [aws_security_group.tipstaff_lb_sc]
246 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
load_balancer.tf:244
via load_balancer.tf:238-246 (aws_lb.tipstaff_lb)
────────────────────────────────────────
238 resource "aws_lb" "tipstaff_lb" {
239 name = "tipstaff-load-balancer"
240 load_balancer_type = "application"
241 security_groups = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
242 subnets = data.aws_subnets.shared-public.ids
243 enable_deletion_protection = false
244 [ internal = false
245 depends_on = [aws_security_group.tipstaff_lb_sc]
246 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:88
via load_balancer.tf:83-89 (egress)
via load_balancer.tf:1-90 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
88 [ cidr_blocks = ["0.0.0.0/0"]
..
90 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:80
via load_balancer.tf:75-81 (egress)
via load_balancer.tf:1-90 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
80 [ cidr_blocks = ["0.0.0.0/0"]
..
90 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:27-56
via load_balancer.tf:23-57 (ingress)
via load_balancer.tf:1-90 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
27 ┌ cidr_blocks = [
28 │ "178.248.34.44/32",
29 │ "194.33.192.0/25",
30 │ "195.59.75.0/24",
31 │ "178.248.34.45/32",
32 │ "201.33.21.5/32",
33 └ "178.248.34.46/32",
..
────────────────────────────────────────

rds.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
rds.tf:1-17
────────────────────────────────────────
1 ┌ resource "aws_db_instance" "tipstaff_db" {
2 │ count = local.is-development ? 0 : 1
3 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
4 │ db_name = local.application_data.accounts[local.environment].db_name
5 │ storage_type = local.application_data.accounts[local.environment].storage_type
6 │ engine = local.application_data.accounts[local.environment].engine
7 │ identifier = local.application_data.accounts[local.environment].identifier
8 │ engine_version = local.application_data.accounts[local.environment].engine_version
9 └ instance_class = local.application_data.accounts[local.environment].instance_class
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
rds.tf:57
via rds.tf:52-58 (egress)
via rds.tf:24-59 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
24 resource "aws_security_group" "postgresql_db_sc" {
..
57 [ cidr_blocks = ["0.0.0.0/0"]
..
59 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute terraform/environments/tipstaff

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-12 16:11:39,089 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,089 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,089 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,089 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,089 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,089 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,090 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,090 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,090 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,090 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.6.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,090 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.13.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,090 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,091 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,091 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.3.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:39,091 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.2.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 69, Failed checks: 0, Skipped checks: 74


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/tipstaff
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-12 16:11:42,331 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-06-12 16:11:42,332 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 53, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # public keys
		12 |   public_key_data = local.public_key_data.keys[local.environment]
		13 |   # logs
		14 |   log_auto_clean       = "Enabled"
		15 |   log_standard_ia_days = 30  # days before moving to IA storage
		16 |   log_glacier_days     = 60  # days before moving to Glacier
		17 |   log_expiry_days      = 180 # days before log expiration
		18 |   # bastion
		19 |   allow_ssh_commands = false
		20 |   app_name           = var.networking[0].application
		21 |   business_unit      = local.vpc_name
		22 |   subnet_set         = local.subnet_set
		23 |   environment        = local.environment
		24 |   region             = "eu-west-2"
		25 | 
		26 |   # Tags
		27 |   tags_common = local.tags
		28 |   tags_prefix = terraform.workspace
		29 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:482-490
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		482 | module "pagerduty_core_alerts_non_prod" {
		483 |   count = local.is-preproduction ? 1 : 0
		484 |   depends_on = [
		485 |     aws_sns_topic.tipstaff_utilisation_alarm
		486 |   ]
		487 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		488 |   sns_topics                = [aws_sns_topic.tipstaff_utilisation_alarm[0].name]
		489 |   pagerduty_integration_key = local.pagerduty_integration_keys["tipstaff_non_prod_alarms"]
		490 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:493-501
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		493 | module "pagerduty_core_alerts_prod" {
		494 |   count = local.is-production ? 1 : 0
		495 |   depends_on = [
		496 |     aws_sns_topic.tipstaff_utilisation_alarm
		497 |   ]
		498 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		499 |   sns_topics                = [aws_sns_topic.tipstaff_utilisation_alarm[0].name]
		500 |   pagerduty_integration_key = local.pagerduty_integration_keys["tipstaff_prod_alarms"]
		501 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "tipstaff-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:335-353
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		335 | resource "aws_security_group" "ecs_service" {
		336 |   name_prefix = "ecs-service-sg-"
		337 |   vpc_id      = data.aws_vpc.shared.id
		338 | 
		339 |   ingress {
		340 |     from_port       = 80
		341 |     to_port         = 80
		342 |     protocol        = "tcp"
		343 |     description     = "Allow traffic on port 80 from load balancer"
		344 |     security_groups = [aws_security_group.tipstaff_lb_sc.id]
		345 |   }
		346 | 
		347 |   egress {
		348 |     from_port   = 0
		349 |     to_port     = 0
		350 |     protocol    = "-1"
		351 |     cidr_blocks = ["0.0.0.0/0"]
		352 |   }
		353 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:454-457
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		454 | resource "aws_sns_topic" "ddos_alarm" {
		455 |   count = local.is-development ? 0 : 1
		456 |   name  = "tipstaff_ddos_alarm"
		457 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.tipstaff_utilisation_alarm
	File: /ecs.tf:459-462
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		459 | resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
		460 |   count = local.is-development ? 0 : 1
		461 |   name  = "tipstaff_utilisation_alarm"
		462 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc
	File: /load_balancer.tf:1-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc_pingdom
	File: /load_balancer.tf:92-163
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc_pingdom_2
	File: /load_balancer.tf:165-236
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:238-246
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		238 | resource "aws_lb" "tipstaff_lb" {
		239 |   name                       = "tipstaff-load-balancer"
		240 |   load_balancer_type         = "application"
		241 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		242 |   subnets                    = data.aws_subnets.shared-public.ids
		243 |   enable_deletion_protection = false
		244 |   internal                   = false
		245 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		246 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:238-246
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		238 | resource "aws_lb" "tipstaff_lb" {
		239 |   name                       = "tipstaff-load-balancer"
		240 |   load_balancer_type         = "application"
		241 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		242 |   subnets                    = data.aws_subnets.shared-public.ids
		243 |   enable_deletion_protection = false
		244 |   internal                   = false
		245 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		246 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:238-246
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		238 | resource "aws_lb" "tipstaff_lb" {
		239 |   name                       = "tipstaff-load-balancer"
		240 |   load_balancer_type         = "application"
		241 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		242 |   subnets                    = data.aws_subnets.shared-public.ids
		243 |   enable_deletion_protection = false
		244 |   internal                   = false
		245 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		246 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.tipstaff_target_group
	File: /load_balancer.tf:248-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		248 | resource "aws_lb_target_group" "tipstaff_target_group" {
		249 |   name                 = "tipstaff-target-group"
		250 |   port                 = 80
		251 |   protocol             = "HTTP"
		252 |   vpc_id               = data.aws_vpc.shared.id
		253 |   target_type          = "ip"
		254 |   deregistration_delay = 30
		255 | 
		256 |   stickiness {
		257 |     type = "lb_cookie"
		258 |   }
		259 | 
		260 |   health_check {
		261 |     healthy_threshold   = "3"
		262 |     interval            = "30"
		263 |     protocol            = "HTTP"
		264 |     port                = "80"
		265 |     unhealthy_threshold = "5"
		266 |     matcher             = "200-302"
		267 |     timeout             = "10"
		268 |   }
		269 | 
		270 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.tipstaff_lb
	File: /load_balancer.tf:272-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		272 | resource "aws_lb_listener" "tipstaff_lb" {
		273 |   depends_on = [
		274 |     aws_acm_certificate.external
		275 |   ]
		276 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		277 |   load_balancer_arn = aws_lb.tipstaff_lb.arn
		278 |   port              = local.application_data.accounts[local.environment].server_port_2
		279 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		280 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		281 | 
		282 |   default_action {
		283 |     type             = "forward"
		284 |     target_group_arn = aws_lb_target_group.tipstaff_target_group.arn
		285 |   }
		286 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		13 |   name                    = "rds-password"
		14 |   recovery_window_in_days = 0
		15 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.tipstaff_web_acl
	File: /waf.tf:1-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "tipstaff_web_acl" {
		2  |   name  = "tipstaff-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |         rule_action_override {
		22 |           action_to_use {
		23 |             allow {}
		24 |           }
		25 |           name = "SizeRestrictions_BODY"
		26 |         }
		27 |       }
		28 |     }
		29 | 
		30 |     visibility_config {
		31 |       cloudwatch_metrics_enabled = true
		32 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		33 |       sampled_requests_enabled   = true
		34 |     }
		35 |   }
		36 | 
		37 |   visibility_config {
		38 |     cloudwatch_metrics_enabled = true
		39 |     metric_name                = "tipstaff-web-acl"
		40 |     sampled_requests_enabled   = true
		41 |   }
		42 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:62-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		62 | resource "aws_db_instance" "tipstaff_db_dev" {
		63 |   count                       = local.is-development ? 1 : 0
		64 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		65 |   db_name                     = local.application_data.accounts[local.environment].db_name
		66 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		67 |   engine                      = local.application_data.accounts[local.environment].engine
		68 |   identifier                  = local.application_data.accounts[local.environment].identifier
		69 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		70 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		71 |   username                    = local.application_data.accounts[local.environment].db_username
		72 |   password                    = random_password.password.result
		73 |   skip_final_snapshot         = true
		74 |   publicly_accessible         = true
		75 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		76 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		77 |   allow_major_version_upgrade = true
		78 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		13 |   name                    = "rds-password"
		14 |   recovery_window_in_days = 0
		15 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.tipstaff_lb
	File: /load_balancer.tf:272-286
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		272 | resource "aws_lb_listener" "tipstaff_lb" {
		273 |   depends_on = [
		274 |     aws_acm_certificate.external
		275 |   ]
		276 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		277 |   load_balancer_arn = aws_lb.tipstaff_lb.arn
		278 |   port              = local.application_data.accounts[local.environment].server_port_2
		279 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		280 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		281 | 
		282 |   default_action {
		283 |     type             = "forward"
		284 |     target_group_arn = aws_lb_target_group.tipstaff_target_group.arn
		285 |   }
		286 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.tipstaff_web_acl
	File: /waf.tf:1-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "tipstaff_web_acl" {
		2  |   name  = "tipstaff-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |         rule_action_override {
		22 |           action_to_use {
		23 |             allow {}
		24 |           }
		25 |           name = "SizeRestrictions_BODY"
		26 |         }
		27 |       }
		28 |     }
		29 | 
		30 |     visibility_config {
		31 |       cloudwatch_metrics_enabled = true
		32 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		33 |       sampled_requests_enabled   = true
		34 |     }
		35 |   }
		36 | 
		37 |   visibility_config {
		38 |     cloudwatch_metrics_enabled = true
		39 |     metric_name                = "tipstaff-web-acl"
		40 |     sampled_requests_enabled   = true
		41 |   }
		42 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/analytical-platform-compute terraform/environments/tipstaff

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/tipstaff
Excluding the following checks: terraform_unused_declarations
22 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 54:
  54:           value = "${aws_db_instance.tipstaff_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 62:
  62:           value = "${aws_db_instance.tipstaff_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 66:
  66:           value = "${aws_db_instance.tipstaff_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 70:
  70:           value = "${aws_db_instance.tipstaff_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 86:
  86:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 133:
 133:           value = "${aws_db_instance.tipstaff_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 141:
 141:           value = "${aws_db_instance.tipstaff_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 145:
 145:           value = "${aws_db_instance.tipstaff_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 149:
 149:           value = "${aws_db_instance.tipstaff_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 161:
 161:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 165:
 165:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "github" in `required_providers` (terraform_required_providers)

  on terraform/environments/tipstaff/providers.tf line 8:
   8: data "github_ip_ranges" "github_actions_ips" {}

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/rds.tf line 138:
 138:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/tipstaff/secrets.tf line 3:
   3: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/secrets.tf line 19:
  19:   secret_string = jsonencode({ "TIPSTAFF_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute terraform/environments/tipstaff

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2024-06-12T16:11:10Z	INFO	Need to update DB
2024-06-12T16:11:10Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-12T16:11:12Z	INFO	Vulnerability scanning is enabled
2024-06-12T16:11:12Z	INFO	Misconfiguration scanning is enabled
2024-06-12T16:11:12Z	INFO	Need to update the built-in policies
2024-06-12T16:11:12Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-12T16:11:12Z	INFO	Secret scanning is enabled
2024-06-12T16:11:12Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-12T16:11:12Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-12T16:11:29Z	INFO	Number of language-specific files	num=0
2024-06-12T16:11:29Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)
=============================================================================================================================================================================
Tests: 22 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam-policies.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/tipstaff
2024-06-12T16:11:29Z	INFO	Vulnerability scanning is enabled
2024-06-12T16:11:29Z	INFO	Misconfiguration scanning is enabled
2024-06-12T16:11:29Z	INFO	Secret scanning is enabled
2024-06-12T16:11:29Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-12T16:11:29Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-12T16:11:36Z	INFO	Number of language-specific files	num=0
2024-06-12T16:11:36Z	INFO	Detected config files	num=7

ecs.tf (terraform)
==================
Tests: 13 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 6)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
 ecs.tf:355-358
────────────────────────────────────────
 355 ┌ resource "aws_ecr_repository" "tipstaff_ecr_repo" {
 356 │   name         = "tipstaff-ecr-repo"
 357 │   force_delete = true
 358 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:454-457
────────────────────────────────────────
 454 ┌ resource "aws_sns_topic" "ddos_alarm" {
 455 │   count = local.is-development ? 0 : 1
 456 │   name  = "tipstaff_ddos_alarm"
 457 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:459-462
────────────────────────────────────────
 459 ┌ resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
 460 │   count = local.is-development ? 0 : 1
 461 │   name  = "tipstaff_utilisation_alarm"
 462 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:351
   via ecs.tf:347-352 (egress)
    via ecs.tf:335-353 (aws_security_group.ecs_service)
────────────────────────────────────────
 335   resource "aws_security_group" "ecs_service" {
 ...   
 351 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 353   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


load_balancer.tf (terraform)
============================
Tests: 12 (SUCCESSES: 7, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 2, CRITICAL: 3)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 load_balancer.tf:238-246
────────────────────────────────────────
 238 ┌ resource "aws_lb" "tipstaff_lb" {
 239 │   name                       = "tipstaff-load-balancer"
 240 │   load_balancer_type         = "application"
 241 │   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
 242 │   subnets                    = data.aws_subnets.shared-public.ids
 243 │   enable_deletion_protection = false
 244 │   internal                   = false
 245 │   depends_on                 = [aws_security_group.tipstaff_lb_sc]
 246 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 load_balancer.tf:244
   via load_balancer.tf:238-246 (aws_lb.tipstaff_lb)
────────────────────────────────────────
 238   resource "aws_lb" "tipstaff_lb" {
 239     name                       = "tipstaff-load-balancer"
 240     load_balancer_type         = "application"
 241     security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
 242     subnets                    = data.aws_subnets.shared-public.ids
 243     enable_deletion_protection = false
 244 [   internal                   = false
 245     depends_on                 = [aws_security_group.tipstaff_lb_sc]
 246   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:88
   via load_balancer.tf:83-89 (egress)
    via load_balancer.tf:1-90 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
  88 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  90   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:80
   via load_balancer.tf:75-81 (egress)
    via load_balancer.tf:1-90 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
  80 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  90   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:27-56
   via load_balancer.tf:23-57 (ingress)
    via load_balancer.tf:1-90 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
  27 ┌     cidr_blocks = [
  28 │       "178.248.34.44/32",
  29 │       "194.33.192.0/25",
  30 │       "195.59.75.0/24",
  31 │       "178.248.34.45/32",
  32 │       "201.33.21.5/32",
  33 └       "178.248.34.46/32",
  ..   
────────────────────────────────────────



rds.tf (terraform)
==================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 rds.tf:1-17
────────────────────────────────────────
   1 ┌ resource "aws_db_instance" "tipstaff_db" {
   2 │   count                       = local.is-development ? 0 : 1
   3 │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   4 │   db_name                     = local.application_data.accounts[local.environment].db_name
   5 │   storage_type                = local.application_data.accounts[local.environment].storage_type
   6 │   engine                      = local.application_data.accounts[local.environment].engine
   7 │   identifier                  = local.application_data.accounts[local.environment].identifier
   8 │   engine_version              = local.application_data.accounts[local.environment].engine_version
   9 └   instance_class              = local.application_data.accounts[local.environment].instance_class
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 rds.tf:57
   via rds.tf:52-58 (egress)
    via rds.tf:24-59 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
  24   resource "aws_security_group" "postgresql_db_sc" {
  ..   
  57 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  59   }
────────────────────────────────────────


trivy_exitcode=1

Signed-off-by: Jacob Woffenden <[email protected]>

github-actions · 2024-06-12T16:42:56Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2024-06-12T16:42:36Z INFO Need to update DB
2024-06-12T16:42:36Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-12T16:42:38Z INFO Vulnerability scanning is enabled
2024-06-12T16:42:38Z INFO Misconfiguration scanning is enabled
2024-06-12T16:42:38Z INFO Need to update the built-in policies
2024-06-12T16:42:38Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-12T16:42:38Z INFO Secret scanning is enabled
2024-06-12T16:42:38Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-12T16:42:38Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-12T16:42:50Z INFO Number of language-specific files num=0
2024-06-12T16:42:50Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

Tests: 22 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam-policies.tf (terraform)

Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-12 16:42:53,351 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,351 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,352 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,352 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,352 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,352 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,352 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,352 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,353 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,353 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.6.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,353 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.13.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,353 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,353 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,353 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.3.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:42:53,354 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.2.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 72, Failed checks: 0, Skipped checks: 74


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2024-06-12T16:42:36Z	INFO	Need to update DB
2024-06-12T16:42:36Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-12T16:42:38Z	INFO	Vulnerability scanning is enabled
2024-06-12T16:42:38Z	INFO	Misconfiguration scanning is enabled
2024-06-12T16:42:38Z	INFO	Need to update the built-in policies
2024-06-12T16:42:38Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-12T16:42:38Z	INFO	Secret scanning is enabled
2024-06-12T16:42:38Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-12T16:42:38Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-12T16:42:50Z	INFO	Number of language-specific files	num=0
2024-06-12T16:42:50Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)
=============================================================================================================================================================================
Tests: 22 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam-policies.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

Signed-off-by: Jacob Woffenden <[email protected]>

github-actions · 2024-06-12T16:59:58Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2024-06-12T16:59:25Z INFO Need to update DB
2024-06-12T16:59:25Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-12T16:59:28Z INFO Vulnerability scanning is enabled
2024-06-12T16:59:28Z INFO Misconfiguration scanning is enabled
2024-06-12T16:59:28Z INFO Need to update the built-in policies
2024-06-12T16:59:28Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-12T16:59:28Z INFO Secret scanning is enabled
2024-06-12T16:59:28Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-12T16:59:28Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-12T16:59:51Z INFO Number of language-specific files num=0
2024-06-12T16:59:51Z INFO Detected config files num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

Tests: 22 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam-policies.tf (terraform)

Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-12 16:59:53,817 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,817 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-github-oidc-role:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,817 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,817 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,817 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,817 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,818 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,818 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,818 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.1.2 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,818 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:6.6.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,818 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.13.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,818 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,818 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/zones:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,819 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.3.1 (for external modules, the --download-external-modules flag is required)
2024-06-12 16:59:53,819 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks-pod-identity/aws:1.2.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 72, Failed checks: 0, Skipped checks: 74


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2024-06-12T16:59:25Z	INFO	Need to update DB
2024-06-12T16:59:25Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-12T16:59:28Z	INFO	Vulnerability scanning is enabled
2024-06-12T16:59:28Z	INFO	Misconfiguration scanning is enabled
2024-06-12T16:59:28Z	INFO	Need to update the built-in policies
2024-06-12T16:59:28Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-12T16:59:28Z	INFO	Secret scanning is enabled
2024-06-12T16:59:28Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-12T16:59:28Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-12T16:59:51Z	INFO	Number of language-specific files	num=0
2024-06-12T16:59:51Z	INFO	Detected config files	num=13

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)
=============================================================================================================================================================================
Tests: 22 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 22)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam-policies.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

AntFMoJ

LGTM

IAM policy and role

00dad40

Signed-off-by: Jacob Woffenden <[email protected]>

jacobwoffenden self-assigned this Jun 12, 2024

jacobwoffenden requested review from a team as code owners June 12, 2024 16:09

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 12, 2024

jacobwoffenden temporarily deployed to analytical-platform-compute-test June 12, 2024 16:11 — with GitHub Actions Inactive

jacobwoffenden temporarily deployed to analytical-platform-compute-development June 12, 2024 16:11 — with GitHub Actions Inactive

jacobwoffenden marked this pull request as draft June 12, 2024 16:25

Add role, rolebinding and cluster access entry mapping

265266a

Signed-off-by: Jacob Woffenden <[email protected]>

jacobwoffenden temporarily deployed to analytical-platform-compute-development June 12, 2024 16:42 — with GitHub Actions Inactive

jacobwoffenden temporarily deployed to analytical-platform-compute-test June 12, 2024 16:42 — with GitHub Actions Inactive

Update verbs

be0e621

Signed-off-by: Jacob Woffenden <[email protected]>

jacobwoffenden temporarily deployed to analytical-platform-compute-development June 12, 2024 16:59 — with GitHub Actions Inactive

jacobwoffenden temporarily deployed to analytical-platform-compute-test June 12, 2024 16:59 — with GitHub Actions Inactive

jacobwoffenden marked this pull request as ready for review June 12, 2024 17:04

AntFMoJ approved these changes Jun 13, 2024

View reviewed changes

jacobwoffenden merged commit 2ec5646 into main Jun 13, 2024
14 checks passed

jacobwoffenden deleted the feat/apc-mojas-airflow branch June 13, 2024 06:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🛂 Airflow repository access to APC #6558

🛂 Airflow repository access to APC #6558

jacobwoffenden commented Jun 12, 2024 •

edited

Loading

github-actions bot commented Jun 12, 2024

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

iam-policies.tf (terraform)

ecs.tf (terraform)

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

load_balancer.tf (terraform)

rds.tf (terraform)

github-actions bot commented Jun 12, 2024

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

iam-policies.tf (terraform)

github-actions bot commented Jun 12, 2024

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

iam-policies.tf (terraform)

AntFMoJ left a comment

🛂 Airflow repository access to APC #6558

🛂 Airflow repository access to APC #6558

Conversation

jacobwoffenden commented Jun 12, 2024 • edited Loading

github-actions bot commented Jun 12, 2024

Trivy Scan Failed

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

iam-policies.tf (terraform)

ecs.tf (terraform)

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

load_balancer.tf (terraform)

rds.tf (terraform)

CTFLint Scan Failed

Trivy Scan Failed

github-actions bot commented Jun 12, 2024

Trivy Scan Success

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

iam-policies.tf (terraform)

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jun 12, 2024

Trivy Scan Success

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=098c6a86ca716dae74bd98974accc29f66178c43/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

iam-policies.tf (terraform)

CTFLint Scan Success

Trivy Scan Success

AntFMoJ left a comment

Choose a reason for hiding this comment

jacobwoffenden commented Jun 12, 2024 •

edited

Loading

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success