Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update dms audit secret name #6659

Merged
merged 3 commits into from
Jun 20, 2024
Merged

update dms audit secret name #6659

merged 3 commits into from
Jun 20, 2024

Conversation

sobostion
Copy link
Contributor

No description provided.

@sobostion sobostion requested a review from a team as a code owner June 19, 2024 14:32
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 19, 2024
@sobostion sobostion had a problem deploying to delius-core-development June 19, 2024 14:34 — with GitHub Actions Failure
@sobostion sobostion requested a review from a team as a code owner June 19, 2024 14:45
@sobostion sobostion had a problem deploying to delius-core-development June 19, 2024 14:47 — with GitHub Actions Failure
@sobostion sobostion force-pushed the NIT-1296_external_provider branch from 5b9b55f to fe9cb32 Compare June 19, 2024 14:54
@sobostion sobostion had a problem deploying to delius-core-development June 19, 2024 15:04 — with GitHub Actions Failure
@sobostion sobostion had a problem deploying to delius-core-development June 19, 2024 15:18 — with GitHub Actions Error
@sobostion sobostion force-pushed the NIT-1296_external_provider branch from 42de105 to b6bca1e Compare June 19, 2024 15:20
@sobostion sobostion temporarily deployed to delius-core-development June 19, 2024 15:29 — with GitHub Actions Inactive
@sobostion sobostion had a problem deploying to delius-core-development June 19, 2024 15:54 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-06-19T15:54:14Z INFO Need to update DB
2024-06-19T15:54:14Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-19T15:54:16Z INFO Vulnerability scanning is enabled
2024-06-19T15:54:16Z INFO Misconfiguration scanning is enabled
2024-06-19T15:54:16Z INFO Need to update the built-in policies
2024-06-19T15:54:16Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-19T15:54:17Z INFO Secret scanning is enabled
2024-06-19T15:54:17Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-19T15:54:17Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-19T15:54:19Z INFO Number of language-specific files num=0
2024-06-19T15:54:19Z INFO Detected config files num=9

iam.tf (terraform)

Tests: 15 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 15)
Failures: 0 (HIGH: 0, CRITICAL: 0)

s3.tf (terraform)

Tests: 14 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 7)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:188-200
────────────────────────────────────────
188 ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 │
190 │ bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 │ tags = merge(
192 │ var.tags,
193 │ {
194 │ "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 │ },
196 └ {
...
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:188-200
────────────────────────────────────────
188 ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 │
190 │ bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 │ tags = merge(
192 │ var.tags,
193 │ {
194 │ "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 │ },
196 └ {
...
────────────────────────────────────────

sg.tf (terraform)

Tests: 12 (SUCCESSES: 11, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:15
via sg.tf:13-23 (aws_vpc_security_group_egress_rule.db_ec2_instance_https_out)
────────────────────────────────────────
13 resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" {
14 security_group_id = aws_security_group.db_ec2.id
15 [ cidr_ipv4 = "0.0.0.0/0"
16 from_port = 443
17 to_port = 443
18 ip_protocol = "tcp"
19 description = "Allow communication out on port 443, e.g. for SSM"
20 tags = merge(var.tags,
21 { Name = "https-out" }
..
────────────────────────────────────────

ssh_keys.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-19 15:54:22,287 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-06-19 15:54:22,287 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 334, Failed checks: 28, Skipped checks: 0

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /iam.tf:90-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /iam.tf:90-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.instance_ssm
	File: /iam.tf:189-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.instance_ssm
	File: /iam.tf:189-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.instance_ssm
	File: /iam.tf:189-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_60: "Ensure IAM role allows only specific services or principals to assume it"
	FAILED for resource: aws_iam_role.EC2OracleEnterpriseManagementSecretsRole
	File: /iam.tf:247-269
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-iam-44

		247 | resource "aws_iam_role" "EC2OracleEnterpriseManagementSecretsRole" {
		248 |   name = "EC2OracleEnterpriseManagementSecretsRole-${var.db_suffix}"
		249 | 
		250 |   assume_role_policy = <<EOF
		251 | {
		252 |   "Version": "2012-10-17",
		253 |   "Statement": [
		254 |     {
		255 |       "Effect": "Allow",
		256 |       "Principal": {
		257 |         "AWS": "*"
		258 |       },
		259 |       "Action": "sts:AssumeRole",
		260 |       "Condition": {
		261 |         "ForAnyValue:ArnLike": {
		262 |           "aws:PrincipalArn": "arn:aws:iam::${var.account_info.id}:role/instance-role-${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-*"
		263 |         }
		264 |       }
		265 |     }
		266 |   ]
		267 | }
		268 | EOF
		269 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracledb_backups
	File: /s3.tf:22-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_oracle_statistics[0]
	File: /s3.tf:323-364
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		323 | module "s3_bucket_oracle_statistics" {
		324 |   count = var.deploy_oracle_stats ? 1 : 0
		325 | 
		326 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		327 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		328 |   versioning_enabled  = false
		329 |   ownership_controls  = "BucketOwnerEnforced"
		330 |   replication_enabled = false
		331 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		332 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		333 |     "{}"
		334 |   ])
		335 |   providers = {
		336 |     aws.bucket-replication = aws.bucket-replication
		337 |   }
		338 | 
		339 |   lifecycle_rule = [
		340 |     {
		341 |       id      = "main"
		342 |       enabled = "Enabled"
		343 |       prefix  = ""
		344 | 
		345 |       tags = {
		346 |         rule      = "log"
		347 |         autoclean = "true"
		348 |       }
		349 | 
		350 |       transition = [
		351 |         {
		352 |           days          = 90
		353 |           storage_class = "STANDARD_IA"
		354 |         }
		355 |       ]
		356 | 
		357 |       expiration = {
		358 |         days = 365
		359 |       }
		360 |     }
		361 |   ]
		362 | 
		363 |   tags = var.tags
		364 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.delius_core_dba_passwords
	File: /secrets.tf:8-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		8  | data "aws_iam_policy_document" "delius_core_dba_passwords" {
		9  |   statement {
		10 |     sid    = "OemAWSAccountToReadTheSecret"
		11 |     effect = "Allow"
		12 |     principals {
		13 |       type        = "AWS"
		14 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		15 |     }
		16 |     actions   = ["secretsmanager:GetSecretValue"]
		17 |     resources = ["*"]
		18 |   }
		19 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_dba_passwords
	File: /secrets.tf:8-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		8  | data "aws_iam_policy_document" "delius_core_dba_passwords" {
		9  |   statement {
		10 |     sid    = "OemAWSAccountToReadTheSecret"
		11 |     effect = "Allow"
		12 |     principals {
		13 |       type        = "AWS"
		14 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		15 |     }
		16 |     actions   = ["secretsmanager:GetSecretValue"]
		17 |     resources = ["*"]
		18 |   }
		19 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /sg.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /sg.tf:85-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = 1521
		88 |   to_port           = 1521
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /sg.tf:105-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /sg.tf:113-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /sg.tf:121-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssh_keys
	File: /ssh_keys.tf:2-45
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.rman_password
	File: /ssm.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dms_audit_endpoint_source
	File: /dms_secrets.tf:2-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "dms_audit_endpoint_source" {
		3 |   name        = local.dms_audit_endpoint_source_secret_name
		4 |   description = "DMS Database Endpoint for Reading Audited Interaction Replication Data"
		5 |   kms_key_id  = var.account_config.kms_keys.general_shared
		6 |   tags        = var.tags
		7 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dms_asm_endpoint_source
	File: /dms_secrets.tf:29-34
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		29 | resource "aws_secretsmanager_secret" "dms_asm_endpoint_source" {
		30 |   name        = local.dms_asm_endpoint_source_secret_name
		31 |   description = "DMS ASM Endpoint"
		32 |   kms_key_id  = var.account_config.kms_keys.general_shared
		33 |   tags        = var.tags
		34 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dms_audit_endpoint_target
	File: /dms_secrets.tf:56-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		56 | resource "aws_secretsmanager_secret" "dms_audit_endpoint_target" {
		57 |   name        = local.dms_audit_endpoint_target_secret_name
		58 |   description = "DMS Database Endpoint for Writing Audited Interaction Replication Data"
		59 |   kms_key_id  = var.account_config.kms_keys.general_shared
		60 |   tags        = var.tags
		61 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.delius_core_dba_passwords
	File: /secrets.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "delius_core_dba_passwords" {
		2 |   name        = local.dba_secret_name
		3 |   description = "DBA Users Credentials"
		4 |   kms_key_id  = var.account_config.kms_keys.general_shared
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.db_ec2
	File: /sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10:
  10:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 73:
  73:       "${module.s3_bucket_oracledb_backups.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 86:
  86:       "${aws_s3_bucket.s3_bucket_oracledb_backups_inventory.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 125:
 125:         "${module.s3_bucket_oracle_statistics[0].bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 236:
 236:       values   = ["${var.account_info.id}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 248:
 248:       values   = ["${module.s3_bucket_oracledb_backups.bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 296:
 296:     resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"]

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-06-19T15:54:14Z	INFO	Need to update DB
2024-06-19T15:54:14Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-19T15:54:16Z	INFO	Vulnerability scanning is enabled
2024-06-19T15:54:16Z	INFO	Misconfiguration scanning is enabled
2024-06-19T15:54:16Z	INFO	Need to update the built-in policies
2024-06-19T15:54:16Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-19T15:54:17Z	INFO	Secret scanning is enabled
2024-06-19T15:54:17Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-19T15:54:17Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-19T15:54:19Z	INFO	Number of language-specific files	num=0
2024-06-19T15:54:19Z	INFO	Detected config files	num=9

iam.tf (terraform)
==================
Tests: 15 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 15)
Failures: 0 (HIGH: 0, CRITICAL: 0)


s3.tf (terraform)
=================
Tests: 14 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 7)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:188-200
────────────────────────────────────────
 188resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
 189190bucket = "${local.oracle_backup_bucket_prefix}-inventory"
 191tags = merge(
 192 │     var.tags,
 193 │     {
 194"Name" = "${local.oracle_backup_bucket_prefix}-inventory"
 195 │     },
 196 └     {
 ...   
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:188-200
────────────────────────────────────────
 188 ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
 189190 │   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
 191 │   tags = merge(
 192 │     var.tags,
 193 │     {
 194"Name" = "${local.oracle_backup_bucket_prefix}-inventory"
 195 │     },
 196 └     {
 ...   
────────────────────────────────────────



sg.tf (terraform)
=================
Tests: 12 (SUCCESSES: 11, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:15
   via sg.tf:13-23 (aws_vpc_security_group_egress_rule.db_ec2_instance_https_out)
────────────────────────────────────────
  13   resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" {
  14     security_group_id = aws_security_group.db_ec2.id
  15 [   cidr_ipv4         = "0.0.0.0/0"
  16     from_port         = 443
  17     to_port           = 443
  18     ip_protocol       = "tcp"
  19     description       = "Allow communication out on port 443, e.g. for SSM"
  20     tags = merge(var.tags,
  21       { Name = "https-out" }
  ..   
────────────────────────────────────────



ssh_keys.tf (terraform)
=======================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

@sobostion sobostion temporarily deployed to delius-core-development June 19, 2024 16:03 — with GitHub Actions Inactive
@sobostion sobostion changed the title add external provider update dms audit secret name Jun 19, 2024
@sobostion sobostion merged commit be6a288 into main Jun 20, 2024
10 of 16 checks passed
@sobostion sobostion deleted the NIT-1296_external_provider branch June 20, 2024 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pete-j-g pete-j-g pete-j-g approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sobostion @pete-j-g