Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ssl_policy for performance-hub https listeners #6619

Merged
merged 1 commit into from
Jun 17, 2024
Merged

Update ssl_policy for performance-hub https listeners #6619

merged 1 commit into from
Jun 17, 2024

Conversation

dms1981
Copy link
Contributor

@dms1981 dms1981 commented Jun 17, 2024
edited by jemnery
Loading

Hello! I'm working on a Modernisation Platform story on behalf of the SOC team. The story is about load balancer listeners that support less-than-secure versions (TLS 1.1 and 1.0). I can see some alerts in the story that point at performance-hub load balancers, and long story short if you don't specify a listener in terraform, you get assigned an old default policy that supports less-than-secure listeners.

The ELBSecurityPolicy-2016-08 policy is the default security policy for HTTPS listeners created using the AWS CLI.

@dms1981 dms1981 requested review from a team as code owners June 17, 2024 10:01
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 17, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/performance-hub

Running Trivy in terraform/environments/performance-hub
2024-06-17T10:03:14Z INFO Need to update DB
2024-06-17T10:03:14Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-17T10:03:16Z INFO Vulnerability scanning is enabled
2024-06-17T10:03:16Z INFO Misconfiguration scanning is enabled
2024-06-17T10:03:16Z INFO Need to update the built-in policies
2024-06-17T10:03:16Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-17T10:03:16Z INFO Secret scanning is enabled
2024-06-17T10:03:16Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-17T10:03:16Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-17T10:03:18Z INFO Number of language-specific files num=0
2024-06-17T10:03:18Z INFO Detected config files num=11

database.tf (terraform)

Tests: 16 (SUCCESSES: 11, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
database.tf:166-182
────────────────────────────────────────
166 ┌ resource "aws_s3_bucket" "database_backup_files" {
167 │ #checkov:skip=CKV_AWS_18
168 │ #checkov:skip=CKV_AWS_144
169 │ #checkov:skip=CKV2_AWS_6
170 │ bucket = "${local.application_name}-db-backups-${local.environment}"
171 │
172 │ lifecycle {
173 │ prevent_destroy = true
174 └ }
...
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
database.tf:166-182
────────────────────────────────────────
166 ┌ resource "aws_s3_bucket" "database_backup_files" {
167 │ #checkov:skip=CKV_AWS_18
168 │ #checkov:skip=CKV_AWS_144
169 │ #checkov:skip=CKV2_AWS_6
170 │ bucket = "${local.application_name}-db-backups-${local.environment}"
171 │
172 │ lifecycle {
173 │ prevent_destroy = true
174 └ }
...
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
database.tf:166-182
────────────────────────────────────────
166 ┌ resource "aws_s3_bucket" "database_backup_files" {
167 │ #checkov:skip=CKV_AWS_18
168 │ #checkov:skip=CKV_AWS_144
169 │ #checkov:skip=CKV2_AWS_6
170 │ bucket = "${local.application_name}-db-backups-${local.environment}"
171 │
172 │ lifecycle {
173 │ prevent_destroy = true
174 └ }
...
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
database.tf:166-182
────────────────────────────────────────
166 ┌ resource "aws_s3_bucket" "database_backup_files" {
167 │ #checkov:skip=CKV_AWS_18
168 │ #checkov:skip=CKV_AWS_144
169 │ #checkov:skip=CKV2_AWS_6
170 │ bucket = "${local.application_name}-db-backups-${local.environment}"
171 │
172 │ lifecycle {
173 │ prevent_destroy = true
174 └ }
...
────────────────────────────────────────

db_manager.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
db_manager.tf:147-149
via db_manager.tf:141-150 (egress)
via db_manager.tf:128-158 (aws_security_group.db_mgmt_server_security_group)
────────────────────────────────────────
128 resource "aws_security_group" "db_mgmt_server_security_group" {
...
147 ┌ cidr_blocks = [
148 │ "0.0.0.0/0",
149 └ ]
...
158 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

loadbalancer.tf (terraform)

Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
loadbalancer.tf:5-25
────────────────────────────────────────
5 ┌ resource "aws_lb" "external" {
6 │ #checkov:skip=CKV_AWS_91
7 │ #checkov:skip=CKV_AWS_131
8 │ #checkov:skip=CKV2_AWS_20
9 │ #checkov:skip=CKV2_AWS_28
10 │ name = "${local.application_name}-loadbalancer"
11 │ load_balancer_type = "application"
12 │ subnets = data.aws_subnets.shared-public.ids
13 └ enable_deletion_protection = true
..
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
loadbalancer.tf:5-25
────────────────────────────────────────
5 ┌ resource "aws_lb" "external" {
6 │ #checkov:skip=CKV_AWS_91
7 │ #checkov:skip=CKV_AWS_131
8 │ #checkov:skip=CKV2_AWS_20
9 │ #checkov:skip=CKV2_AWS_28
10 │ name = "${local.application_name}-loadbalancer"
11 │ load_balancer_type = "application"
12 │ subnets = data.aws_subnets.shared-public.ids
13 └ enable_deletion_protection = true
..
────────────────────────────────────────

CRITICAL: Listener for application load balancer does not use HTTPS.
════════════════════════════════════════
Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

See https://avd.aquasec.com/misconfig/avd-aws-0054
────────────────────────────────────────
loadbalancer.tf:63
via loadbalancer.tf:58-69 (aws_lb_listener.listener)
────────────────────────────────────────
58 resource "aws_lb_listener" "listener" {
..
63 [ protocol = "HTTP"
..
69 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:116-118
via loadbalancer.tf:110-119 (egress)
via loadbalancer.tf:87-127 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
87 resource "aws_security_group" "load_balancer_security_group" {
..
116 ┌ cidr_blocks = [
117 │ "0.0.0.0/0",
118 └ ]
...
127 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:98
via loadbalancer.tf:92-99 (ingress)
via loadbalancer.tf:87-127 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
87 resource "aws_security_group" "load_balancer_security_group" {
..
98 [ cidr_blocks = ["0.0.0.0/0", ]
...
127 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:107
via loadbalancer.tf:101-108 (ingress)
via loadbalancer.tf:87-127 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
87 resource "aws_security_group" "load_balancer_security_group" {
..
107 [ cidr_blocks = ["0.0.0.0/0", ]
...
127 }
────────────────────────────────────────

module/ecs/main.tf (terraform)

Tests: 64 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 57)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
module/ecs/main.tf:84
via module/ecs/main.tf:79-86 (content)
via module/ecs/main.tf:77-87 (dynamic.egress["cluster_ec2_lb_egress"])
via module/ecs/main.tf:60-95 (aws_security_group.cluster_ec2)
via ecs.tf:35-63 (module.windows-new-ecs)
────────────────────────────────────────
60 resource "aws_security_group" "cluster_ec2" {
..
84 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
..
95 }
────────────────────────────────────────

monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:21-23
────────────────────────────────────────
21 ┌ resource "aws_sns_topic" "ddos_alarm" {
22 │ name = "ddos_alarm"
23 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 11 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
s3.tf:7-23
────────────────────────────────────────
7 ┌ resource "aws_s3_bucket" "upload_files" {
8 │ #checkov:skip=CKV_AWS_18
9 │ #checkov:skip=CKV_AWS_144
10 │ #checkov:skip=CKV2_AWS_6
11 │ bucket = "${local.application_name}-uploads-${local.environment}"
12 │
13 │ lifecycle {
14 │ prevent_destroy = true
15 └ }
..
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
s3.tf:7-23
────────────────────────────────────────
7 ┌ resource "aws_s3_bucket" "upload_files" {
8 │ #checkov:skip=CKV_AWS_18
9 │ #checkov:skip=CKV_AWS_144
10 │ #checkov:skip=CKV2_AWS_6
11 │ bucket = "${local.application_name}-uploads-${local.environment}"
12 │
13 │ lifecycle {
14 │ prevent_destroy = true
15 └ }
..
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
s3.tf:7-23
────────────────────────────────────────
7 ┌ resource "aws_s3_bucket" "upload_files" {
8 │ #checkov:skip=CKV_AWS_18
9 │ #checkov:skip=CKV_AWS_144
10 │ #checkov:skip=CKV2_AWS_6
11 │ bucket = "${local.application_name}-uploads-${local.environment}"
12 │
13 │ lifecycle {
14 │ prevent_destroy = true
15 └ }
..
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
s3.tf:7-23
────────────────────────────────────────
7 ┌ resource "aws_s3_bucket" "upload_files" {
8 │ #checkov:skip=CKV_AWS_18
9 │ #checkov:skip=CKV_AWS_144
10 │ #checkov:skip=CKV2_AWS_6
11 │ bucket = "${local.application_name}-uploads-${local.environment}"
12 │
13 │ lifecycle {
14 │ prevent_destroy = true
15 └ }
..
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/performance-hub

*****************************

Running Checkov in terraform/environments/performance-hub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-17 10:03:20,370 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-17 10:03:20,370 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-06-17 10:03:20,370 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 41, Skipped checks: 32

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # Tags
		33 |   tags_common = local.tags
		34 |   tags_prefix = terraform.workspace
		35 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   #tfsec:ignore:AWS099
		7  |   #checkov:skip=CKV_AWS_118
		8  |   #checkov:skip=CKV_AWS_157
		9  |   count                               = local.app_data.accounts[local.environment].db_enabled ? 1 : 0
		10 |   identifier                          = local.application_name
		11 |   allocated_storage                   = local.app_data.accounts[local.environment].db_allocated_storage
		12 |   storage_type                        = "gp2"
		13 |   engine                              = "sqlserver-se"
		14 |   engine_version                      = "15.00.4073.23.v1"
		15 |   license_model                       = "license-included"
		16 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		17 |   multi_az                            = false
		18 |   username                            = local.app_data.accounts[local.environment].db_user
		19 |   password                            = aws_secretsmanager_secret_version.db_password.arn
		20 |   storage_encrypted                   = true
		21 |   iam_database_authentication_enabled = false
		22 |   vpc_security_group_ids              = [aws_security_group.db.id]
		23 |   snapshot_identifier                 = format("arn:aws:rds:eu-west-2:%s:snapshot:%s", data.aws_caller_identity.current.account_id, local.app_data.accounts[local.environment].db_snapshot_identifier)
		24 |   backup_retention_period             = 30
		25 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		26 |   backup_window                       = "03:00-06:00"
		27 |   final_snapshot_identifier           = "final-snapshot"
		28 |   kms_key_id                          = aws_kms_key.rds.arn
		29 |   deletion_protection                 = false
		30 |   option_group_name                   = aws_db_option_group.db_option_group.name
		31 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		32 |   enabled_cloudwatch_logs_exports     = ["error"]
		33 | 
		34 |   # timeouts {
		35 |   #   create = "40m"
		36 |   #   delete = "40m"
		37 |   #   update = "80m"
		38 |   # }
		39 | 
		40 |   lifecycle {
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name                = "${local.application_name}-database",
		48 |       instance-scheduling = "skip-scheduling"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   #tfsec:ignore:AWS099
		7  |   #checkov:skip=CKV_AWS_118
		8  |   #checkov:skip=CKV_AWS_157
		9  |   count                               = local.app_data.accounts[local.environment].db_enabled ? 1 : 0
		10 |   identifier                          = local.application_name
		11 |   allocated_storage                   = local.app_data.accounts[local.environment].db_allocated_storage
		12 |   storage_type                        = "gp2"
		13 |   engine                              = "sqlserver-se"
		14 |   engine_version                      = "15.00.4073.23.v1"
		15 |   license_model                       = "license-included"
		16 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		17 |   multi_az                            = false
		18 |   username                            = local.app_data.accounts[local.environment].db_user
		19 |   password                            = aws_secretsmanager_secret_version.db_password.arn
		20 |   storage_encrypted                   = true
		21 |   iam_database_authentication_enabled = false
		22 |   vpc_security_group_ids              = [aws_security_group.db.id]
		23 |   snapshot_identifier                 = format("arn:aws:rds:eu-west-2:%s:snapshot:%s", data.aws_caller_identity.current.account_id, local.app_data.accounts[local.environment].db_snapshot_identifier)
		24 |   backup_retention_period             = 30
		25 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		26 |   backup_window                       = "03:00-06:00"
		27 |   final_snapshot_identifier           = "final-snapshot"
		28 |   kms_key_id                          = aws_kms_key.rds.arn
		29 |   deletion_protection                 = false
		30 |   option_group_name                   = aws_db_option_group.db_option_group.name
		31 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		32 |   enabled_cloudwatch_logs_exports     = ["error"]
		33 | 
		34 |   # timeouts {
		35 |   #   create = "40m"
		36 |   #   delete = "40m"
		37 |   #   update = "80m"
		38 |   # }
		39 | 
		40 |   lifecycle {
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name                = "${local.application_name}-database",
		48 |       instance-scheduling = "skip-scheduling"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   #tfsec:ignore:AWS099
		7  |   #checkov:skip=CKV_AWS_118
		8  |   #checkov:skip=CKV_AWS_157
		9  |   count                               = local.app_data.accounts[local.environment].db_enabled ? 1 : 0
		10 |   identifier                          = local.application_name
		11 |   allocated_storage                   = local.app_data.accounts[local.environment].db_allocated_storage
		12 |   storage_type                        = "gp2"
		13 |   engine                              = "sqlserver-se"
		14 |   engine_version                      = "15.00.4073.23.v1"
		15 |   license_model                       = "license-included"
		16 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		17 |   multi_az                            = false
		18 |   username                            = local.app_data.accounts[local.environment].db_user
		19 |   password                            = aws_secretsmanager_secret_version.db_password.arn
		20 |   storage_encrypted                   = true
		21 |   iam_database_authentication_enabled = false
		22 |   vpc_security_group_ids              = [aws_security_group.db.id]
		23 |   snapshot_identifier                 = format("arn:aws:rds:eu-west-2:%s:snapshot:%s", data.aws_caller_identity.current.account_id, local.app_data.accounts[local.environment].db_snapshot_identifier)
		24 |   backup_retention_period             = 30
		25 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		26 |   backup_window                       = "03:00-06:00"
		27 |   final_snapshot_identifier           = "final-snapshot"
		28 |   kms_key_id                          = aws_kms_key.rds.arn
		29 |   deletion_protection                 = false
		30 |   option_group_name                   = aws_db_option_group.db_option_group.name
		31 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		32 |   enabled_cloudwatch_logs_exports     = ["error"]
		33 | 
		34 |   # timeouts {
		35 |   #   create = "40m"
		36 |   #   delete = "40m"
		37 |   #   update = "80m"
		38 |   # }
		39 | 
		40 |   lifecycle {
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name                = "${local.application_name}-database",
		48 |       instance-scheduling = "skip-scheduling"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   #tfsec:ignore:AWS099
		7  |   #checkov:skip=CKV_AWS_118
		8  |   #checkov:skip=CKV_AWS_157
		9  |   count                               = local.app_data.accounts[local.environment].db_enabled ? 1 : 0
		10 |   identifier                          = local.application_name
		11 |   allocated_storage                   = local.app_data.accounts[local.environment].db_allocated_storage
		12 |   storage_type                        = "gp2"
		13 |   engine                              = "sqlserver-se"
		14 |   engine_version                      = "15.00.4073.23.v1"
		15 |   license_model                       = "license-included"
		16 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		17 |   multi_az                            = false
		18 |   username                            = local.app_data.accounts[local.environment].db_user
		19 |   password                            = aws_secretsmanager_secret_version.db_password.arn
		20 |   storage_encrypted                   = true
		21 |   iam_database_authentication_enabled = false
		22 |   vpc_security_group_ids              = [aws_security_group.db.id]
		23 |   snapshot_identifier                 = format("arn:aws:rds:eu-west-2:%s:snapshot:%s", data.aws_caller_identity.current.account_id, local.app_data.accounts[local.environment].db_snapshot_identifier)
		24 |   backup_retention_period             = 30
		25 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		26 |   backup_window                       = "03:00-06:00"
		27 |   final_snapshot_identifier           = "final-snapshot"
		28 |   kms_key_id                          = aws_kms_key.rds.arn
		29 |   deletion_protection                 = false
		30 |   option_group_name                   = aws_db_option_group.db_option_group.name
		31 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		32 |   enabled_cloudwatch_logs_exports     = ["error"]
		33 | 
		34 |   # timeouts {
		35 |   #   create = "40m"
		36 |   #   delete = "40m"
		37 |   #   update = "80m"
		38 |   # }
		39 | 
		40 |   lifecycle {
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name                = "${local.application_name}-database",
		48 |       instance-scheduling = "skip-scheduling"
		49 |     }
		50 |   )
		51 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.database_backup_files
	File: /database.tf:189-204
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		189 | resource "aws_s3_bucket_lifecycle_configuration" "database_backup_files" {
		190 |   bucket = aws_s3_bucket.database_backup_files.id
		191 |   rule {
		192 |     id     = "tf-s3-lifecycle"
		193 |     status = "Enabled"
		194 |     noncurrent_version_transition {
		195 |       noncurrent_days = 30
		196 |       storage_class   = "STANDARD_IA"
		197 |     }
		198 | 
		199 |     transition {
		200 |       days          = 60
		201 |       storage_class = "STANDARD_IA"
		202 |     }
		203 |   }
		204 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:306-319
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		306 | data "aws_iam_policy_document" "rds-kms" {
		307 |   #checkov:skip=CKV_AWS_111
		308 |   #checkov:skip=CKV_AWS_109
		309 |   statement {
		310 |     effect    = "Allow"
		311 |     actions   = ["kms:*"]
		312 |     resources = ["*"]
		313 | 
		314 |     principals {
		315 |       type        = "AWS"
		316 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		317 |     }
		318 |   }
		319 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.db_mgmt_policy
	File: /db_manager.tf:95-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		95  | resource "aws_iam_policy" "db_mgmt_policy" {
		96  |   name        = "${local.application_name}-db_mgmt-ec2-policy"
		97  |   description = "${local.application_name} ec2-policy"
		98  | 
		99  |   policy = <<EOF
		100 | {
		101 |     "Version": "2012-10-17",
		102 |     "Statement": [
		103 |       {
		104 |         "Effect": "Allow",
		105 |         "Action": "s3:*",
		106 |         "Resource": "*"
		107 |       },
		108 |       {
		109 |         "Effect": "Allow",
		110 |         "Action": [
		111 |           "s3:GetEncryptionConfiguration"
		112 |         ],
		113 |         "Resource": "*"
		114 |       },
		115 |       {
		116 |         "Effect": "Allow",
		117 |         "Action": [
		118 |           "kms:Decrypt"
		119 |         ],
		120 |         "Resource": "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["performance-hub-preproduction"]}:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
		121 |       }
		122 |     ]
		123 | }
		124 | EOF
		125 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.db_mgmt_policy
	File: /db_manager.tf:95-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		95  | resource "aws_iam_policy" "db_mgmt_policy" {
		96  |   name        = "${local.application_name}-db_mgmt-ec2-policy"
		97  |   description = "${local.application_name} ec2-policy"
		98  | 
		99  |   policy = <<EOF
		100 | {
		101 |     "Version": "2012-10-17",
		102 |     "Statement": [
		103 |       {
		104 |         "Effect": "Allow",
		105 |         "Action": "s3:*",
		106 |         "Resource": "*"
		107 |       },
		108 |       {
		109 |         "Effect": "Allow",
		110 |         "Action": [
		111 |           "s3:GetEncryptionConfiguration"
		112 |         ],
		113 |         "Resource": "*"
		114 |       },
		115 |       {
		116 |         "Effect": "Allow",
		117 |         "Action": [
		118 |           "kms:Decrypt"
		119 |         ],
		120 |         "Resource": "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["performance-hub-preproduction"]}:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
		121 |       }
		122 |     ]
		123 | }
		124 | EOF
		125 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.db_mgmt_policy
	File: /db_manager.tf:95-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		95  | resource "aws_iam_policy" "db_mgmt_policy" {
		96  |   name        = "${local.application_name}-db_mgmt-ec2-policy"
		97  |   description = "${local.application_name} ec2-policy"
		98  | 
		99  |   policy = <<EOF
		100 | {
		101 |     "Version": "2012-10-17",
		102 |     "Statement": [
		103 |       {
		104 |         "Effect": "Allow",
		105 |         "Action": "s3:*",
		106 |         "Resource": "*"
		107 |       },
		108 |       {
		109 |         "Effect": "Allow",
		110 |         "Action": [
		111 |           "s3:GetEncryptionConfiguration"
		112 |         ],
		113 |         "Resource": "*"
		114 |       },
		115 |       {
		116 |         "Effect": "Allow",
		117 |         "Action": [
		118 |           "kms:Decrypt"
		119 |         ],
		120 |         "Resource": "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["performance-hub-preproduction"]}:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
		121 |       }
		122 |     ]
		123 | }
		124 | EOF
		125 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.db_mgmt_policy
	File: /db_manager.tf:95-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		95  | resource "aws_iam_policy" "db_mgmt_policy" {
		96  |   name        = "${local.application_name}-db_mgmt-ec2-policy"
		97  |   description = "${local.application_name} ec2-policy"
		98  | 
		99  |   policy = <<EOF
		100 | {
		101 |     "Version": "2012-10-17",
		102 |     "Statement": [
		103 |       {
		104 |         "Effect": "Allow",
		105 |         "Action": "s3:*",
		106 |         "Resource": "*"
		107 |       },
		108 |       {
		109 |         "Effect": "Allow",
		110 |         "Action": [
		111 |           "s3:GetEncryptionConfiguration"
		112 |         ],
		113 |         "Resource": "*"
		114 |       },
		115 |       {
		116 |         "Effect": "Allow",
		117 |         "Action": [
		118 |           "kms:Decrypt"
		119 |         ],
		120 |         "Resource": "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["performance-hub-preproduction"]}:key/c1b9e987-29e2-458f-b5bd-2e9c2b57f049"
		121 |       }
		122 |     ]
		123 | }
		124 | EOF
		125 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ebs-kms
	File: /db_manager.tf:182-205
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		182 | data "aws_iam_policy_document" "ebs-kms" {
		183 |   #checkov:skip=CKV_AWS_111
		184 |   #checkov:skip=CKV_AWS_109
		185 |   statement {
		186 |     effect    = "Allow"
		187 |     actions   = ["kms:*"]
		188 |     resources = ["*"]
		189 | 
		190 |     principals {
		191 |       type        = "Service"
		192 |       identifiers = ["ec2.amazonaws.com"]
		193 |     }
		194 |   }
		195 |   statement {
		196 |     effect    = "Allow"
		197 |     actions   = ["kms:*"]
		198 |     resources = ["*"]
		199 | 
		200 |     principals {
		201 |       type        = "AWS"
		202 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		203 |     }
		204 |   }
		205 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.target_group
	File: /loadbalancer.tf:27-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		27 | resource "aws_lb_target_group" "target_group" {
		28 |   name                 = "${local.application_name}-tg-${local.environment}"
		29 |   port                 = local.app_data.accounts[local.environment].server_port
		30 |   protocol             = "HTTP"
		31 |   vpc_id               = data.aws_vpc.shared.id
		32 |   target_type          = "instance"
		33 |   deregistration_delay = 30
		34 | 
		35 |   stickiness {
		36 |     type = "lb_cookie"
		37 |   }
		38 | 
		39 |   health_check {
		40 |     # path                = "/"
		41 |     healthy_threshold   = "5"
		42 |     interval            = "120"
		43 |     protocol            = "HTTP"
		44 |     unhealthy_threshold = "2"
		45 |     matcher             = "200-499"
		46 |     timeout             = "5"
		47 |   }
		48 | 
		49 |   tags = merge(
		50 |     local.tags,
		51 |     {
		52 |       Name = "${local.application_name}-tg-${local.environment}"
		53 |     }
		54 |   )
		55 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ec2_instance_policy
	File: /module/ecs/main.tf:185-224
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		185 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		186 |   name = "${var.app_name}-ec2-instance-policy"
		187 | 
		188 |   policy = <<EOF
		189 | {
		190 |     "Version": "2012-10-17",
		191 |     "Statement": [
		192 |         {
		193 |             "Effect": "Allow",
		194 |             "Action": [
		195 |                 "ec2:DescribeTags",
		196 |                 "ecs:CreateCluster",
		197 |                 "ecs:DeregisterContainerInstance",
		198 |                 "ecs:DiscoverPollEndpoint",
		199 |                 "ecs:Poll",
		200 |                 "ecs:RegisterContainerInstance",
		201 |                 "ecs:StartTelemetrySession",
		202 |                 "ecs:UpdateContainerInstancesState",
		203 |                 "ecs:Submit*",
		204 |                 "ecr:GetAuthorizationToken",
		205 |                 "ecr:BatchCheckLayerAvailability",
		206 |                 "ecr:GetDownloadUrlForLayer",
		207 |                 "ecr:BatchGetImage",
		208 |                 "logs:CreateLogStream",
		209 |                 "logs:PutLogEvents",
		210 |                 "s3:ListBucket",
		211 |                 "s3:*Object*",
		212 |                 "kms:Decrypt",
		213 |                 "kms:Encrypt",
		214 |                 "kms:GenerateDataKey",
		215 |                 "kms:ReEncrypt",
		216 |                 "kms:GenerateDataKey",
		217 |                 "kms:DescribeKey"
		218 |             ],
		219 |             "Resource": "*"
		220 |         }
		221 |     ]
		222 | }
		223 | EOF
		224 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ec2_instance_policy
	File: /module/ecs/main.tf:185-224
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		185 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		186 |   name = "${var.app_name}-ec2-instance-policy"
		187 | 
		188 |   policy = <<EOF
		189 | {
		190 |     "Version": "2012-10-17",
		191 |     "Statement": [
		192 |         {
		193 |             "Effect": "Allow",
		194 |             "Action": [
		195 |                 "ec2:DescribeTags",
		196 |                 "ecs:CreateCluster",
		197 |                 "ecs:DeregisterContainerInstance",
		198 |                 "ecs:DiscoverPollEndpoint",
		199 |                 "ecs:Poll",
		200 |                 "ecs:RegisterContainerInstance",
		201 |                 "ecs:StartTelemetrySession",
		202 |                 "ecs:UpdateContainerInstancesState",
		203 |                 "ecs:Submit*",
		204 |                 "ecr:GetAuthorizationToken",
		205 |                 "ecr:BatchCheckLayerAvailability",
		206 |                 "ecr:GetDownloadUrlForLayer",
		207 |                 "ecr:BatchGetImage",
		208 |                 "logs:CreateLogStream",
		209 |                 "logs:PutLogEvents",
		210 |                 "s3:ListBucket",
		211 |                 "s3:*Object*",
		212 |                 "kms:Decrypt",
		213 |                 "kms:Encrypt",
		214 |                 "kms:GenerateDataKey",
		215 |                 "kms:ReEncrypt",
		216 |                 "kms:GenerateDataKey",
		217 |                 "kms:DescribeKey"
		218 |             ],
		219 |             "Resource": "*"
		220 |         }
		221 |     ]
		222 | }
		223 | EOF
		224 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ec2_instance_policy
	File: /module/ecs/main.tf:185-224
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		185 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		186 |   name = "${var.app_name}-ec2-instance-policy"
		187 | 
		188 |   policy = <<EOF
		189 | {
		190 |     "Version": "2012-10-17",
		191 |     "Statement": [
		192 |         {
		193 |             "Effect": "Allow",
		194 |             "Action": [
		195 |                 "ec2:DescribeTags",
		196 |                 "ecs:CreateCluster",
		197 |                 "ecs:DeregisterContainerInstance",
		198 |                 "ecs:DiscoverPollEndpoint",
		199 |                 "ecs:Poll",
		200 |                 "ecs:RegisterContainerInstance",
		201 |                 "ecs:StartTelemetrySession",
		202 |                 "ecs:UpdateContainerInstancesState",
		203 |                 "ecs:Submit*",
		204 |                 "ecr:GetAuthorizationToken",
		205 |                 "ecr:BatchCheckLayerAvailability",
		206 |                 "ecr:GetDownloadUrlForLayer",
		207 |                 "ecr:BatchGetImage",
		208 |                 "logs:CreateLogStream",
		209 |                 "logs:PutLogEvents",
		210 |                 "s3:ListBucket",
		211 |                 "s3:*Object*",
		212 |                 "kms:Decrypt",
		213 |                 "kms:Encrypt",
		214 |                 "kms:GenerateDataKey",
		215 |                 "kms:ReEncrypt",
		216 |                 "kms:GenerateDataKey",
		217 |                 "kms:DescribeKey"
		218 |             ],
		219 |             "Resource": "*"
		220 |         }
		221 |     ]
		222 | }
		223 | EOF
		224 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ec2_instance_policy
	File: /module/ecs/main.tf:185-224
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		185 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		186 |   name = "${var.app_name}-ec2-instance-policy"
		187 | 
		188 |   policy = <<EOF
		189 | {
		190 |     "Version": "2012-10-17",
		191 |     "Statement": [
		192 |         {
		193 |             "Effect": "Allow",
		194 |             "Action": [
		195 |                 "ec2:DescribeTags",
		196 |                 "ecs:CreateCluster",
		197 |                 "ecs:DeregisterContainerInstance",
		198 |                 "ecs:DiscoverPollEndpoint",
		199 |                 "ecs:Poll",
		200 |                 "ecs:RegisterContainerInstance",
		201 |                 "ecs:StartTelemetrySession",
		202 |                 "ecs:UpdateContainerInstancesState",
		203 |                 "ecs:Submit*",
		204 |                 "ecr:GetAuthorizationToken",
		205 |                 "ecr:BatchCheckLayerAvailability",
		206 |                 "ecr:GetDownloadUrlForLayer",
		207 |                 "ecr:BatchGetImage",
		208 |                 "logs:CreateLogStream",
		209 |                 "logs:PutLogEvents",
		210 |                 "s3:ListBucket",
		211 |                 "s3:*Object*",
		212 |                 "kms:Decrypt",
		213 |                 "kms:Encrypt",
		214 |                 "kms:GenerateDataKey",
		215 |                 "kms:ReEncrypt",
		216 |                 "kms:GenerateDataKey",
		217 |                 "kms:DescribeKey"
		218 |             ],
		219 |             "Resource": "*"
		220 |         }
		221 |     ]
		222 | }
		223 | EOF
		224 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /module/ecs/main.tf:358-381
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		358 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		359 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		360 |   policy = <<EOF
		361 | {
		362 |   "Version": "2012-10-17",
		363 |   "Statement": [
		364 |     {
		365 |       "Effect": "Allow",
		366 |       "Action": [
		367 |         "s3:ListBucket",
		368 |         "s3:*Object*",
		369 |         "kms:Decrypt",
		370 |         "kms:Encrypt",
		371 |         "kms:GenerateDataKey",
		372 |         "kms:ReEncrypt",
		373 |         "kms:GenerateDataKey",
		374 |         "kms:DescribeKey"
		375 |       ],
		376 |       "Resource": ["*"]
		377 |     }
		378 |   ]
		379 | }
		380 | EOF
		381 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /module/ecs/main.tf:358-381
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		358 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		359 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		360 |   policy = <<EOF
		361 | {
		362 |   "Version": "2012-10-17",
		363 |   "Statement": [
		364 |     {
		365 |       "Effect": "Allow",
		366 |       "Action": [
		367 |         "s3:ListBucket",
		368 |         "s3:*Object*",
		369 |         "kms:Decrypt",
		370 |         "kms:Encrypt",
		371 |         "kms:GenerateDataKey",
		372 |         "kms:ReEncrypt",
		373 |         "kms:GenerateDataKey",
		374 |         "kms:DescribeKey"
		375 |       ],
		376 |       "Resource": ["*"]
		377 |     }
		378 |   ]
		379 | }
		380 | EOF
		381 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /module/ecs/main.tf:358-381
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		358 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		359 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		360 |   policy = <<EOF
		361 | {
		362 |   "Version": "2012-10-17",
		363 |   "Statement": [
		364 |     {
		365 |       "Effect": "Allow",
		366 |       "Action": [
		367 |         "s3:ListBucket",
		368 |         "s3:*Object*",
		369 |         "kms:Decrypt",
		370 |         "kms:Encrypt",
		371 |         "kms:GenerateDataKey",
		372 |         "kms:ReEncrypt",
		373 |         "kms:GenerateDataKey",
		374 |         "kms:DescribeKey"
		375 |       ],
		376 |       "Resource": ["*"]
		377 |     }
		378 |   ]
		379 | }
		380 | EOF
		381 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.windows-new-ecs.aws_iam_policy.ecs_task_execution_s3_policy
	File: /module/ecs/main.tf:358-381
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		358 | resource "aws_iam_policy" "ecs_task_execution_s3_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		359 |   name   = "${var.app_name}-ecs-task-execution-s3-policy"
		360 |   policy = <<EOF
		361 | {
		362 |   "Version": "2012-10-17",
		363 |   "Statement": [
		364 |     {
		365 |       "Effect": "Allow",
		366 |       "Action": [
		367 |         "s3:ListBucket",
		368 |         "s3:*Object*",
		369 |         "kms:Decrypt",
		370 |         "kms:Encrypt",
		371 |         "kms:GenerateDataKey",
		372 |         "kms:ReEncrypt",
		373 |         "kms:GenerateDataKey",
		374 |         "kms:DescribeKey"
		375 |       ],
		376 |       "Resource": ["*"]
		377 |     }
		378 |   ]
		379 | }
		380 | EOF
		381 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.windows-new-ecs.aws_cloudwatch_log_group.cloudwatch_group
	File: /module/ecs/main.tf:467-477
	Calling File: /ecs.tf:35-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		467 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		468 |   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
		469 |   name              = "${var.app_name}-ecs"
		470 |   retention_in_days = 30
		471 |   tags = merge(
		472 |     var.tags_common,
		473 |     {
		474 |       Name = "${var.app_name}-ecs-cloudwatch-group"
		475 |     }
		476 |   )
		477 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_ddos_alarm
	File: /monitoring.tf:43-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		43 | module "pagerduty_ddos_alarm" {
		44 |   depends_on = [
		45 |     aws_sns_topic.ddos_alarm
		46 |   ]
		47 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		48 |   sns_topics                = [aws_sns_topic.ddos_alarm.name]
		49 |   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
		50 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /monitoring.tf:21-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		21 | resource "aws_sns_topic" "ddos_alarm" {
		22 |   name = "ddos_alarm"
		23 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ap_landing_bucket
	File: /s3.tf:166-201
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		166 | module "ap_landing_bucket" {
		167 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		168 | 
		169 |   bucket_name        = "${local.application_name}-land-${local.environment}"
		170 |   ownership_controls = "BucketOwnerEnforced"
		171 | 
		172 |   versioning_enabled  = false
		173 |   replication_enabled = false
		174 | 
		175 |   bucket_policy = [data.aws_iam_policy_document.allow_ap_write_to_landing.json]
		176 | 
		177 |   providers = {
		178 |     # Leave this provider block in even if you are not using replication
		179 |     aws.bucket-replication = aws
		180 |   }
		181 | 
		182 |   custom_kms_key = aws_kms_key.s3.arn
		183 | 
		184 |   lifecycle_rule = [
		185 |     {
		186 |       id      = "tf-s3-lifecycle-landing"
		187 |       enabled = "Enabled"
		188 | 
		189 |       expiration = {
		190 |         days = 30
		191 |       }
		192 |     }
		193 |   ]
		194 | 
		195 |   tags = merge(
		196 |     local.tags,
		197 |     {
		198 |       Name = "${local.application_name}-ap-landing-bucket"
		199 |     }
		200 |   )
		201 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.upload_files
	File: /s3.tf:30-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		30 | resource "aws_s3_bucket_lifecycle_configuration" "upload_files" {
		31 |   bucket = aws_s3_bucket.upload_files.id
		32 |   rule {
		33 |     id     = "tf-s3-lifecycle"
		34 |     status = "Enabled"
		35 |     noncurrent_version_transition {
		36 |       noncurrent_days = 30
		37 |       storage_class   = "STANDARD_IA"
		38 |     }
		39 | 
		40 |     transition {
		41 |       days          = 60
		42 |       storage_class = "STANDARD_IA"
		43 |     }
		44 |   }
		45 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.s3-uploads-policy
	File: /s3.tf:112-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		112 | resource "aws_iam_policy" "s3-uploads-policy" {
		113 |   name   = "${local.application_name}-s3-uploads-policy"
		114 |   policy = <<EOF
		115 | {
		116 |   "Version": "2012-10-17",
		117 |   "Statement": [
		118 |     {
		119 |       "Effect": "Allow",
		120 |       "Action": [
		121 |           "s3:*"
		122 |       ],
		123 |       "Resource": [
		124 |           "${aws_s3_bucket.upload_files.arn}"
		125 |       ]
		126 |     },
		127 |     {
		128 |       "Effect": "Allow",
		129 |       "Action": [
		130 |           "s3:*"
		131 |       ],
		132 |       "Resource": [
		133 |         "${aws_s3_bucket.upload_files.arn}/*"
		134 |       ]
		135 |     },
		136 |     {
		137 |       "Effect": "Allow",
		138 |       "Action": [
		139 |         "s3:GetEncryptionConfiguration"
		140 |       ],
		141 |       "Resource": "*"
		142 |     },
		143 |     {
		144 |       "Effect": "Allow",
		145 |       "Action": [
		146 |       "kms:Decrypt"
		147 |       ],
		148 |       "Resource": "*"
		149 |     }
		150 |   ]
		151 | }
		152 | EOF
		153 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.s3-uploads-policy
	File: /s3.tf:112-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		112 | resource "aws_iam_policy" "s3-uploads-policy" {
		113 |   name   = "${local.application_name}-s3-uploads-policy"
		114 |   policy = <<EOF
		115 | {
		116 |   "Version": "2012-10-17",
		117 |   "Statement": [
		118 |     {
		119 |       "Effect": "Allow",
		120 |       "Action": [
		121 |           "s3:*"
		122 |       ],
		123 |       "Resource": [
		124 |           "${aws_s3_bucket.upload_files.arn}"
		125 |       ]
		126 |     },
		127 |     {
		128 |       "Effect": "Allow",
		129 |       "Action": [
		130 |           "s3:*"
		131 |       ],
		132 |       "Resource": [
		133 |         "${aws_s3_bucket.upload_files.arn}/*"
		134 |       ]
		135 |     },
		136 |     {
		137 |       "Effect": "Allow",
		138 |       "Action": [
		139 |         "s3:GetEncryptionConfiguration"
		140 |       ],
		141 |       "Resource": "*"
		142 |     },
		143 |     {
		144 |       "Effect": "Allow",
		145 |       "Action": [
		146 |       "kms:Decrypt"
		147 |       ],
		148 |       "Resource": "*"
		149 |     }
		150 |   ]
		151 | }
		152 | EOF
		153 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.s3-kms
	File: /s3.tf:264-277
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		264 | data "aws_iam_policy_document" "s3-kms" {
		265 |   #checkov:skip=CKV_AWS_111
		266 |   #checkov:skip=CKV_AWS_109
		267 |   statement {
		268 |     effect    = "Allow"
		269 |     actions   = ["kms:*"]
		270 |     resources = ["*"]
		271 | 
		272 |     principals {
		273 |       type        = "AWS"
		274 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		275 |     }
		276 |   }
		277 | }
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   #tfsec:ignore:AWS099
		7  |   #checkov:skip=CKV_AWS_118
		8  |   #checkov:skip=CKV_AWS_157
		9  |   count                               = local.app_data.accounts[local.environment].db_enabled ? 1 : 0
		10 |   identifier                          = local.application_name
		11 |   allocated_storage                   = local.app_data.accounts[local.environment].db_allocated_storage
		12 |   storage_type                        = "gp2"
		13 |   engine                              = "sqlserver-se"
		14 |   engine_version                      = "15.00.4073.23.v1"
		15 |   license_model                       = "license-included"
		16 |   instance_class                      = local.app_data.accounts[local.environment].db_instance_class
		17 |   multi_az                            = false
		18 |   username                            = local.app_data.accounts[local.environment].db_user
		19 |   password                            = aws_secretsmanager_secret_version.db_password.arn
		20 |   storage_encrypted                   = true
		21 |   iam_database_authentication_enabled = false
		22 |   vpc_security_group_ids              = [aws_security_group.db.id]
		23 |   snapshot_identifier                 = format("arn:aws:rds:eu-west-2:%s:snapshot:%s", data.aws_caller_identity.current.account_id, local.app_data.accounts[local.environment].db_snapshot_identifier)
		24 |   backup_retention_period             = 30
		25 |   maintenance_window                  = "Mon:00:00-Mon:03:00"
		26 |   backup_window                       = "03:00-06:00"
		27 |   final_snapshot_identifier           = "final-snapshot"
		28 |   kms_key_id                          = aws_kms_key.rds.arn
		29 |   deletion_protection                 = false
		30 |   option_group_name                   = aws_db_option_group.db_option_group.name
		31 |   db_subnet_group_name                = aws_db_subnet_group.db.id
		32 |   enabled_cloudwatch_logs_exports     = ["error"]
		33 | 
		34 |   # timeouts {
		35 |   #   create = "40m"
		36 |   #   delete = "40m"
		37 |   #   update = "80m"
		38 |   # }
		39 | 
		40 |   lifecycle {
		41 |     prevent_destroy = true
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name                = "${local.application_name}-database",
		48 |       instance-scheduling = "skip-scheduling"
		49 |     }
		50 |   )
		51 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.mojhub_cnnstr
	File: /secrets.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "mojhub_cnnstr" {
		13 |   #checkov:skip=CKV_AWS_149
		14 |   name = "mojhub_cnnstr"
		15 |   tags = merge(
		16 |     local.tags,
		17 |     {
		18 |       Name = "mojhub_cnnstr"
		19 |     },
		20 |   )
		21 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.mojhub_membership
	File: /secrets.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		28 | resource "aws_secretsmanager_secret" "mojhub_membership" {
		29 |   #checkov:skip=CKV_AWS_149
		30 |   name = "mojhub_membership"
		31 |   tags = merge(
		32 |     local.tags,
		33 |     {
		34 |       Name = "mojhub_membership"
		35 |     },
		36 |   )
		37 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:44-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		44 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		45 |   #checkov:skip=CKV_AWS_149
		46 |   name = "govuk_notify_api_key"
		47 |   tags = merge(
		48 |     local.tags,
		49 |     {
		50 |       Name = "govuk_notify_api_key"
		51 |     },
		52 |   )
		53 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.os_vts_api_key
	File: /secrets.tf:60-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		60 | resource "aws_secretsmanager_secret" "os_vts_api_key" {
		61 |   #checkov:skip=CKV_AWS_149
		62 |   name = "os_vts_api_key"
		63 |   tags = merge(
		64 |     local.tags,
		65 |     {
		66 |       Name = "os_vts_api_key"
		67 |     },
		68 |   )
		69 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ap_import_access_key_id
	File: /secrets.tf:76-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "ap_import_access_key_id" {
		77 |   #checkov:skip=CKV_AWS_149
		78 |   name                    = "ap_import_access_key_id"
		79 |   recovery_window_in_days = 0
		80 |   tags = merge(
		81 |     local.tags,
		82 |     {
		83 |       Name = "ap_import_access_key_id"
		84 |     },
		85 |   )
		86 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ap_import_secret_access_key
	File: /secrets.tf:93-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		93  | resource "aws_secretsmanager_secret" "ap_import_secret_access_key" {
		94  |   #checkov:skip=CKV_AWS_149
		95  |   name                    = "ap_import_secret_access_key"
		96  |   recovery_window_in_days = 0
		97  |   tags = merge(
		98  |     local.tags,
		99  |     {
		100 |       Name = "ap_import_secret_access_key"
		101 |     },
		102 |   )
		103 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ap_export_access_key_id
	File: /secrets.tf:110-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		110 | resource "aws_secretsmanager_secret" "ap_export_access_key_id" {
		111 |   #checkov:skip=CKV_AWS_149
		112 |   name                    = "ap_export_access_key_id"
		113 |   recovery_window_in_days = 0
		114 |   tags = merge(
		115 |     local.tags,
		116 |     {
		117 |       Name = "ap_export_access_key_id"
		118 |     },
		119 |   )
		120 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ap_export_secret_access_key
	File: /secrets.tf:127-137
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		127 | resource "aws_secretsmanager_secret" "ap_export_secret_access_key" {
		128 |   #checkov:skip=CKV_AWS_149
		129 |   name                    = "ap_export_secret_access_key"
		130 |   recovery_window_in_days = 0
		131 |   tags = merge(
		132 |     local.tags,
		133 |     {
		134 |       Name = "ap_export_secret_access_key"
		135 |     },
		136 |   )
		137 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /secrets.tf:144-155
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		144 | resource "aws_secretsmanager_secret" "db_password" {
		145 |   #checkov:skip=CKV_AWS_149
		146 | 
		147 |   name = "${var.networking[0].application}-database-password"
		148 | 
		149 |   tags = merge(
		150 |     local.tags,
		151 |     {
		152 |       Name = "${var.networking[0].application}-db-password"
		153 |     },
		154 |   )
		155 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.database_backup_files
	File: /database.tf:166-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		166 | resource "aws_s3_bucket" "database_backup_files" {
		167 |   #checkov:skip=CKV_AWS_18
		168 |   #checkov:skip=CKV_AWS_144
		169 |   #checkov:skip=CKV2_AWS_6
		170 |   bucket = "${local.application_name}-db-backups-${local.environment}"
		171 | 
		172 |   lifecycle {
		173 |     prevent_destroy = true
		174 |   }
		175 | 
		176 |   tags = merge(
		177 |     local.tags,
		178 |     {
		179 |       Name = "${local.application_name}-db-backups-s3"
		180 |     }
		181 |   )
		182 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.upload_files
	File: /s3.tf:7-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		7  | resource "aws_s3_bucket" "upload_files" {
		8  |   #checkov:skip=CKV_AWS_18
		9  |   #checkov:skip=CKV_AWS_144
		10 |   #checkov:skip=CKV2_AWS_6
		11 |   bucket = "${local.application_name}-uploads-${local.environment}"
		12 | 
		13 |   lifecycle {
		14 |     prevent_destroy = true
		15 |   }
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-uploads"
		21 |     }
		22 |   )
		23 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/performance-hub

*****************************

Running tflint in terraform/environments/performance-hub
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/performance-hub/data.tf line 26:
  26:     storage_bucket              = "${aws_s3_bucket.upload_files.id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/performance-hub/db_manager.tf line 51:
  51: data "template_cloudinit_config" "cloudinit-db-mgmt" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/performance-hub/secrets.tf line 5:
   5: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/performance-hub

*****************************

Running Trivy in terraform/environments/performance-hub
2024-06-17T10:03:14Z	INFO	Need to update DB
2024-06-17T10:03:14Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-17T10:03:16Z	INFO	Vulnerability scanning is enabled
2024-06-17T10:03:16Z	INFO	Misconfiguration scanning is enabled
2024-06-17T10:03:16Z	INFO	Need to update the built-in policies
2024-06-17T10:03:16Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-17T10:03:16Z	INFO	Secret scanning is enabled
2024-06-17T10:03:16Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-17T10:03:16Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-17T10:03:18Z	INFO	Number of language-specific files	num=0
2024-06-17T10:03:18Z	INFO	Detected config files	num=11

database.tf (terraform)
=======================
Tests: 16 (SUCCESSES: 11, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 database.tf:166-182
────────────────────────────────────────
 166resource "aws_s3_bucket" "database_backup_files" {
 167#checkov:skip=CKV_AWS_18
 168#checkov:skip=CKV_AWS_144
 169#checkov:skip=CKV2_AWS_6
 170bucket = "${local.application_name}-db-backups-${local.environment}"
 171172lifecycle {
 173prevent_destroy = true
 174 └   }
 ...   
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 database.tf:166-182
────────────────────────────────────────
 166resource "aws_s3_bucket" "database_backup_files" {
 167#checkov:skip=CKV_AWS_18
 168#checkov:skip=CKV_AWS_144
 169#checkov:skip=CKV2_AWS_6
 170bucket = "${local.application_name}-db-backups-${local.environment}"
 171172lifecycle {
 173prevent_destroy = true
 174 └   }
 ...   
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 database.tf:166-182
────────────────────────────────────────
 166resource "aws_s3_bucket" "database_backup_files" {
 167#checkov:skip=CKV_AWS_18
 168#checkov:skip=CKV_AWS_144
 169#checkov:skip=CKV2_AWS_6
 170bucket = "${local.application_name}-db-backups-${local.environment}"
 171172lifecycle {
 173prevent_destroy = true
 174 └   }
 ...   
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 database.tf:166-182
────────────────────────────────────────
 166resource "aws_s3_bucket" "database_backup_files" {
 167#checkov:skip=CKV_AWS_18
 168#checkov:skip=CKV_AWS_144
 169#checkov:skip=CKV2_AWS_6
 170bucket = "${local.application_name}-db-backups-${local.environment}"
 171172lifecycle {
 173prevent_destroy = true
 174 └   }
 ...   
────────────────────────────────────────



db_manager.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 db_manager.tf:147-149
   via db_manager.tf:141-150 (egress)
    via db_manager.tf:128-158 (aws_security_group.db_mgmt_server_security_group)
────────────────────────────────────────
 128   resource "aws_security_group" "db_mgmt_server_security_group" {
 ...   
 147cidr_blocks = [
 148"0.0.0.0/0",
 149 └     ]
 ...   
 158   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


loadbalancer.tf (terraform)
===========================
Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 loadbalancer.tf:5-25
────────────────────────────────────────
   5resource "aws_lb" "external" {
   6#checkov:skip=CKV_AWS_91
   7#checkov:skip=CKV_AWS_131
   8#checkov:skip=CKV2_AWS_20
   9#checkov:skip=CKV2_AWS_28
  10name                       = "${local.application_name}-loadbalancer"
  11load_balancer_type         = "application"
  12subnets                    = data.aws_subnets.shared-public.ids
  13enable_deletion_protection = true
  ..   
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 loadbalancer.tf:5-25
────────────────────────────────────────
   5resource "aws_lb" "external" {
   6#checkov:skip=CKV_AWS_91
   7#checkov:skip=CKV_AWS_131
   8#checkov:skip=CKV2_AWS_20
   9#checkov:skip=CKV2_AWS_28
  10name                       = "${local.application_name}-loadbalancer"
  11load_balancer_type         = "application"
  12subnets                    = data.aws_subnets.shared-public.ids
  13enable_deletion_protection = true
  ..   
────────────────────────────────────────


CRITICAL: Listener for application load balancer does not use HTTPS.
════════════════════════════════════════
Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

See https://avd.aquasec.com/misconfig/avd-aws-0054
────────────────────────────────────────
 loadbalancer.tf:63
   via loadbalancer.tf:58-69 (aws_lb_listener.listener)
────────────────────────────────────────
  58   resource "aws_lb_listener" "listener" {
  ..   
  63 [   protocol          = "HTTP"
  ..   
  69   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:116-118
   via loadbalancer.tf:110-119 (egress)
    via loadbalancer.tf:87-127 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
  87   resource "aws_security_group" "load_balancer_security_group" {
  ..   
 116 ┌     cidr_blocks = [
 117"0.0.0.0/0",
 118 └     ]
 ...   
 127   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:98
   via loadbalancer.tf:92-99 (ingress)
    via loadbalancer.tf:87-127 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
  87   resource "aws_security_group" "load_balancer_security_group" {
  ..   
  98 [     cidr_blocks = ["0.0.0.0/0", ]
 ...   
 127   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:107
   via loadbalancer.tf:101-108 (ingress)
    via loadbalancer.tf:87-127 (aws_security_group.load_balancer_security_group)
────────────────────────────────────────
  87   resource "aws_security_group" "load_balancer_security_group" {
  ..   
 107 [     cidr_blocks = ["0.0.0.0/0", ]
 ...   
 127   }
────────────────────────────────────────



module/ecs/main.tf (terraform)
==============================
Tests: 64 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 57)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 module/ecs/main.tf:84
   via module/ecs/main.tf:79-86 (content)
    via module/ecs/main.tf:77-87 (dynamic.egress["cluster_ec2_lb_egress"])
     via module/ecs/main.tf:60-95 (aws_security_group.cluster_ec2)
      via ecs.tf:35-63 (module.windows-new-ecs)
────────────────────────────────────────
  60   resource "aws_security_group" "cluster_ec2" {
  ..   
  84 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
  ..   
  95   }
────────────────────────────────────────



monitoring.tf (terraform)
=========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:21-23
────────────────────────────────────────
  21resource "aws_sns_topic" "ddos_alarm" {
  22 │   name = "ddos_alarm"
  23 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 11 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 s3.tf:7-23
────────────────────────────────────────
   7resource "aws_s3_bucket" "upload_files" {
   8#checkov:skip=CKV_AWS_18
   9#checkov:skip=CKV_AWS_144
  10#checkov:skip=CKV2_AWS_6
  11 │   bucket = "${local.application_name}-uploads-${local.environment}"
  1213 │   lifecycle {
  14 │     prevent_destroy = true
  15 └   }
  ..   
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 s3.tf:7-23
────────────────────────────────────────
   7 ┌ resource "aws_s3_bucket" "upload_files" {
   8#checkov:skip=CKV_AWS_18
   9#checkov:skip=CKV_AWS_144
  10#checkov:skip=CKV2_AWS_6
  11 │   bucket = "${local.application_name}-uploads-${local.environment}"
  1213 │   lifecycle {
  14 │     prevent_destroy = true
  15 └   }
  ..   
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 s3.tf:7-23
────────────────────────────────────────
   7 ┌ resource "aws_s3_bucket" "upload_files" {
   8#checkov:skip=CKV_AWS_18
   9#checkov:skip=CKV_AWS_144
  10#checkov:skip=CKV2_AWS_6
  11 │   bucket = "${local.application_name}-uploads-${local.environment}"
  1213 │   lifecycle {
  14 │     prevent_destroy = true
  15 └   }
  ..   
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 s3.tf:7-23
────────────────────────────────────────
   7 ┌ resource "aws_s3_bucket" "upload_files" {
   8#checkov:skip=CKV_AWS_18
   9#checkov:skip=CKV_AWS_144
  10#checkov:skip=CKV2_AWS_6
  11 │   bucket = "${local.application_name}-uploads-${local.environment}"
  1213 │   lifecycle {
  14 │     prevent_destroy = true
  15 └   }
  ..   
────────────────────────────────────────


trivy_exitcode=1

@jemnery jemnery merged commit 5999081 into main Jun 17, 2024
15 of 19 checks passed
@jemnery jemnery deleted the fix/performance-hub-ssl-policy branch June 17, 2024 10:05
@dms1981 dms1981 mentioned this pull request Jun 17, 2024
Closed
4 tasks
@jemnery jemnery restored the fix/performance-hub-ssl-policy branch June 17, 2024 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jemnery jemnery jemnery approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dms1981 @jemnery