Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Made some changes for db password #6687

Merged
merged 2 commits into from
Jun 21, 2024
Merged

Made some changes for db password #6687

merged 2 commits into from
Jun 21, 2024

Conversation

fshafaatmoj
Copy link
Contributor

No description provided.

@fshafaatmoj fshafaatmoj requested review from a team as code owners June 20, 2024 15:36
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 20, 2024
roncitrus
roncitrus previously approved these changes Jun 20, 2024
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-06-20T15:39:07Z INFO Need to update DB
2024-06-20T15:39:07Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-20T15:39:09Z INFO Vulnerability scanning is enabled
2024-06-20T15:39:09Z INFO Misconfiguration scanning is enabled
2024-06-20T15:39:09Z INFO Need to update the built-in policies
2024-06-20T15:39:09Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-20T15:39:09Z INFO Secret scanning is enabled
2024-06-20T15:39:09Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-20T15:39:09Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-20T15:39:12Z INFO Number of language-specific files num=0
2024-06-20T15:39:12Z INFO Detected config files num=7

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.db_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:342
via ecs.tf:337-343 (egress)
via ecs.tf:316-351 (aws_security_group.cluster_ec2)
────────────────────────────────────────
316 resource "aws_security_group" "cluster_ec2" {
...
342 [ cidr_blocks = ["0.0.0.0/0"]
...
351 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:472
via ecs.tf:468-473 (egress)
via ecs.tf:456-474 (aws_security_group.ecs_service)
────────────────────────────────────────
456 resource "aws_security_group" "ecs_service" {
...
472 [ cidr_blocks = ["0.0.0.0/0"]
...
474 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:109-172 (module.s3-bucket)
via bastion_linux.tf:5-37 (module.bastion_linux)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 2, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
loadbalancer.tf:28
via loadbalancer.tf:23-29 (aws_lb.ifs_lb)
────────────────────────────────────────
23 resource "aws_lb" "ifs_lb" {
24 name = "ifs-load-balancer"
25 load_balancer_type = "application"
26 security_groups = [aws_security_group.ifs_lb_sc.id]
27 subnets = data.aws_subnets.shared-public.ids
28 [ drop_invalid_header_fields = false
29 }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
loadbalancer.tf:23-29
────────────────────────────────────────
23 ┌ resource "aws_lb" "ifs_lb" {
24 │ name = "ifs-load-balancer"
25 │ load_balancer_type = "application"
26 │ security_groups = [aws_security_group.ifs_lb_sc.id]
27 │ subnets = data.aws_subnets.shared-public.ids
28 │ drop_invalid_header_fields = false
29 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:19
via loadbalancer.tf:14-20 (egress)
via loadbalancer.tf:1-21 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "ifs_lb_sc" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
21 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:11
via loadbalancer.tf:6-12 (ingress)
via loadbalancer.tf:1-21 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "ifs_lb_sc" {
.
11 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
..
21 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-20 15:39:14,857 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 97, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogGroup",
		30 |                 "logs:CreateLogStream",
		31 |                 "logs:GetLogEvents",
		32 |                 "logs:PutLogEvents",
		33 |                 "logs:DescribeLogGroups",
		34 |                 "logs:DescribeLogStreams",
		35 |                 "logs:PutRetentionPolicy",
		36 |                 "s3:ListBucket",
		37 |                 "s3:*Object*",
		38 |                 "kms:Decrypt",
		39 |                 "kms:Encrypt",
		40 |                 "kms:GenerateDataKey",
		41 |                 "kms:ReEncrypt",
		42 |                 "kms:GenerateDataKey",
		43 |                 "kms:DescribeKey",
		44 |                 "rds:Connect",
		45 |                 "rds:DescribeDBInstances"
		46 |             ],
		47 |             "Resource": "*"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogGroup",
		30 |                 "logs:CreateLogStream",
		31 |                 "logs:GetLogEvents",
		32 |                 "logs:PutLogEvents",
		33 |                 "logs:DescribeLogGroups",
		34 |                 "logs:DescribeLogStreams",
		35 |                 "logs:PutRetentionPolicy",
		36 |                 "s3:ListBucket",
		37 |                 "s3:*Object*",
		38 |                 "kms:Decrypt",
		39 |                 "kms:Encrypt",
		40 |                 "kms:GenerateDataKey",
		41 |                 "kms:ReEncrypt",
		42 |                 "kms:GenerateDataKey",
		43 |                 "kms:DescribeKey",
		44 |                 "rds:Connect",
		45 |                 "rds:DescribeDBInstances"
		46 |             ],
		47 |             "Resource": "*"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogGroup",
		30 |                 "logs:CreateLogStream",
		31 |                 "logs:GetLogEvents",
		32 |                 "logs:PutLogEvents",
		33 |                 "logs:DescribeLogGroups",
		34 |                 "logs:DescribeLogStreams",
		35 |                 "logs:PutRetentionPolicy",
		36 |                 "s3:ListBucket",
		37 |                 "s3:*Object*",
		38 |                 "kms:Decrypt",
		39 |                 "kms:Encrypt",
		40 |                 "kms:GenerateDataKey",
		41 |                 "kms:ReEncrypt",
		42 |                 "kms:GenerateDataKey",
		43 |                 "kms:DescribeKey",
		44 |                 "rds:Connect",
		45 |                 "rds:DescribeDBInstances"
		46 |             ],
		47 |             "Resource": "*"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogGroup",
		30 |                 "logs:CreateLogStream",
		31 |                 "logs:GetLogEvents",
		32 |                 "logs:PutLogEvents",
		33 |                 "logs:DescribeLogGroups",
		34 |                 "logs:DescribeLogStreams",
		35 |                 "logs:PutRetentionPolicy",
		36 |                 "s3:ListBucket",
		37 |                 "s3:*Object*",
		38 |                 "kms:Decrypt",
		39 |                 "kms:Encrypt",
		40 |                 "kms:GenerateDataKey",
		41 |                 "kms:ReEncrypt",
		42 |                 "kms:GenerateDataKey",
		43 |                 "kms:DescribeKey",
		44 |                 "rds:Connect",
		45 |                 "rds:DescribeDBInstances"
		46 |             ],
		47 |             "Resource": "*"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:54-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		54 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		55 |   name              = "/aws/events/deploymentLogs"
		56 |   retention_in_days = "7"
		57 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:84-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:230-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		230 | resource "aws_iam_role_policy" "app_execution" {
		231 |   name = "execution-${var.networking[0].application}"
		232 |   role = aws_iam_role.app_execution.id
		233 | 
		234 |   policy = <<-EOF
		235 |   {
		236 |     "Version": "2012-10-17",
		237 |     "Statement": [
		238 |       {
		239 |            "Action": [
		240 |               "ecr:*",
		241 |               "logs:CreateLogGroup",
		242 |               "logs:CreateLogStream",
		243 |               "logs:PutLogEvents",
		244 |               "logs:DescribeLogStreams",
		245 |               "secretsmanager:GetSecretValue"
		246 |            ],
		247 |            "Resource": "*",
		248 |            "Effect": "Allow"
		249 |       }
		250 |     ]
		251 |   }
		252 |   EOF
		253 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:230-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		230 | resource "aws_iam_role_policy" "app_execution" {
		231 |   name = "execution-${var.networking[0].application}"
		232 |   role = aws_iam_role.app_execution.id
		233 | 
		234 |   policy = <<-EOF
		235 |   {
		236 |     "Version": "2012-10-17",
		237 |     "Statement": [
		238 |       {
		239 |            "Action": [
		240 |               "ecr:*",
		241 |               "logs:CreateLogGroup",
		242 |               "logs:CreateLogStream",
		243 |               "logs:PutLogEvents",
		244 |               "logs:DescribeLogStreams",
		245 |               "secretsmanager:GetSecretValue"
		246 |            ],
		247 |            "Resource": "*",
		248 |            "Effect": "Allow"
		249 |       }
		250 |     ]
		251 |   }
		252 |   EOF
		253 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:230-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		230 | resource "aws_iam_role_policy" "app_execution" {
		231 |   name = "execution-${var.networking[0].application}"
		232 |   role = aws_iam_role.app_execution.id
		233 | 
		234 |   policy = <<-EOF
		235 |   {
		236 |     "Version": "2012-10-17",
		237 |     "Statement": [
		238 |       {
		239 |            "Action": [
		240 |               "ecr:*",
		241 |               "logs:CreateLogGroup",
		242 |               "logs:CreateLogStream",
		243 |               "logs:PutLogEvents",
		244 |               "logs:DescribeLogStreams",
		245 |               "secretsmanager:GetSecretValue"
		246 |            ],
		247 |            "Resource": "*",
		248 |            "Effect": "Allow"
		249 |       }
		250 |     ]
		251 |   }
		252 |   EOF
		253 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:230-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		230 | resource "aws_iam_role_policy" "app_execution" {
		231 |   name = "execution-${var.networking[0].application}"
		232 |   role = aws_iam_role.app_execution.id
		233 | 
		234 |   policy = <<-EOF
		235 |   {
		236 |     "Version": "2012-10-17",
		237 |     "Statement": [
		238 |       {
		239 |            "Action": [
		240 |               "ecr:*",
		241 |               "logs:CreateLogGroup",
		242 |               "logs:CreateLogStream",
		243 |               "logs:PutLogEvents",
		244 |               "logs:DescribeLogStreams",
		245 |               "secretsmanager:GetSecretValue"
		246 |            ],
		247 |            "Resource": "*",
		248 |            "Effect": "Allow"
		249 |       }
		250 |     ]
		251 |   }
		252 |   EOF
		253 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:456-474
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		456 | resource "aws_security_group" "ecs_service" {
		457 |   name_prefix = "ecs-service-sg-"
		458 |   vpc_id      = data.aws_vpc.shared.id
		459 | 
		460 |   ingress {
		461 |     from_port       = 80
		462 |     to_port         = 80
		463 |     protocol        = "tcp"
		464 |     description     = "Allow traffic on port 80 from load balancer"
		465 |     security_groups = [aws_security_group.ifs_lb_sc.id]
		466 |   }
		467 | 
		468 |   egress {
		469 |     from_port   = 0
		470 |     to_port     = 0
		471 |     protocol    = "-1"
		472 |     cidr_blocks = ["0.0.0.0/0"]
		473 |   }
		474 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:519-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		519 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		520 |   name              = "${local.application_name}-ecs"
		521 |   retention_in_days = 30
		522 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:519-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		519 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		520 |   name              = "${local.application_name}-ecs"
		521 |   retention_in_days = 30
		522 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ifs_lb
	File: /loadbalancer.tf:23-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		23 | resource "aws_lb" "ifs_lb" {
		24 |   name                       = "ifs-load-balancer"
		25 |   load_balancer_type         = "application"
		26 |   security_groups            = [aws_security_group.ifs_lb_sc.id]
		27 |   subnets                    = data.aws_subnets.shared-public.ids
		28 |   drop_invalid_header_fields = false
		29 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ifs_lb
	File: /loadbalancer.tf:23-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		23 | resource "aws_lb" "ifs_lb" {
		24 |   name                       = "ifs-load-balancer"
		25 |   load_balancer_type         = "application"
		26 |   security_groups            = [aws_security_group.ifs_lb_sc.id]
		27 |   subnets                    = data.aws_subnets.shared-public.ids
		28 |   drop_invalid_header_fields = false
		29 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ifs_lb
	File: /loadbalancer.tf:23-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		23 | resource "aws_lb" "ifs_lb" {
		24 |   name                       = "ifs-load-balancer"
		25 |   load_balancer_type         = "application"
		26 |   security_groups            = [aws_security_group.ifs_lb_sc.id]
		27 |   subnets                    = data.aws_subnets.shared-public.ids
		28 |   drop_invalid_header_fields = false
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.db_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.ifs_lb
	File: /loadbalancer.tf:23-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		23 | resource "aws_lb" "ifs_lb" {
		24 |   name                       = "ifs-load-balancer"
		25 |   load_balancer_type         = "application"
		26 |   security_groups            = [aws_security_group.ifs_lb_sc.id]
		27 |   subnets                    = data.aws_subnets.shared-public.ids
		28 |   drop_invalid_header_fields = false
		29 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 114:
 114:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 118:
 118:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 122:
 122:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 126:
 126:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 130:
 130:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 389:
 389:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/secrets.tf line 5:
   5: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-06-20T15:39:07Z	INFO	Need to update DB
2024-06-20T15:39:07Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-20T15:39:09Z	INFO	Vulnerability scanning is enabled
2024-06-20T15:39:09Z	INFO	Misconfiguration scanning is enabled
2024-06-20T15:39:09Z	INFO	Need to update the built-in policies
2024-06-20T15:39:09Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-20T15:39:09Z	INFO	Secret scanning is enabled
2024-06-20T15:39:09Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-20T15:39:09Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-20T15:39:12Z	INFO	Number of language-specific files	num=0
2024-06-20T15:39:12Z	INFO	Detected config files	num=7

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.db_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:342
   via ecs.tf:337-343 (egress)
    via ecs.tf:316-351 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 316   resource "aws_security_group" "cluster_ec2" {
 ...   
 342 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 351   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:472
   via ecs.tf:468-473 (egress)
    via ecs.tf:456-474 (aws_security_group.ecs_service)
────────────────────────────────────────
 456   resource "aws_security_group" "ecs_service" {
 ...   
 472 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 474   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
===============================================================================================================================================================================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:109-172 (module.s3-bucket)
    via bastion_linux.tf:5-37 (module.bastion_linux)
────────────────────────────────────────
 171resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 2, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 loadbalancer.tf:28
   via loadbalancer.tf:23-29 (aws_lb.ifs_lb)
────────────────────────────────────────
  23   resource "aws_lb" "ifs_lb" {
  24     name                       = "ifs-load-balancer"
  25     load_balancer_type         = "application"
  26     security_groups            = [aws_security_group.ifs_lb_sc.id]
  27     subnets                    = data.aws_subnets.shared-public.ids
  28 [   drop_invalid_header_fields = false
  29   }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 loadbalancer.tf:23-29
────────────────────────────────────────
  23resource "aws_lb" "ifs_lb" {
  24 │   name                       = "ifs-load-balancer"
  25 │   load_balancer_type         = "application"
  26 │   security_groups            = [aws_security_group.ifs_lb_sc.id]
  27 │   subnets                    = data.aws_subnets.shared-public.ids
  28 │   drop_invalid_header_fields = false
  29 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:19
   via loadbalancer.tf:14-20 (egress)
    via loadbalancer.tf:1-21 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "ifs_lb_sc" {
   .   
  19 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  21   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:11
   via loadbalancer.tf:6-12 (ingress)
    via loadbalancer.tf:1-21 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "ifs_lb_sc" {
   .   
  11 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
  ..   
  21   }
────────────────────────────────────────


trivy_exitcode=1

@fshafaatmoj fshafaatmoj temporarily deployed to cdpt-ifs-development June 20, 2024 15:40 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/cdpt-ifs

Running Trivy in terraform/environments/cdpt-ifs
2024-06-20T15:40:58Z INFO Need to update DB
2024-06-20T15:40:58Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-20T15:41:00Z INFO Vulnerability scanning is enabled
2024-06-20T15:41:00Z INFO Misconfiguration scanning is enabled
2024-06-20T15:41:00Z INFO Need to update the built-in policies
2024-06-20T15:41:00Z INFO Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-20T15:41:00Z INFO Secret scanning is enabled
2024-06-20T15:41:00Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-20T15:41:00Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-20T15:41:02Z INFO Number of language-specific files num=0
2024-06-20T15:41:02Z INFO Detected config files num=7

database.tf (terraform)

Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
database.tf:5-20
────────────────────────────────────────
5 ┌ resource "aws_db_instance" "database" {
6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage
7 │ storage_type = "gp2"
8 │ engine = "sqlserver-web"
9 │ engine_version = "14.00.3381.3.v1"
10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class
11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier
12 │ username = local.application_data.accounts[local.environment].db_user
13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
database.tf:47
via database.tf:43-48 (egress)
via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
33 resource "aws_security_group" "db" {
..
47 [ cidr_blocks = ["0.0.0.0/0"]
..
49 }
────────────────────────────────────────

ecs.tf (terraform)

Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:342
via ecs.tf:337-343 (egress)
via ecs.tf:316-351 (aws_security_group.cluster_ec2)
────────────────────────────────────────
316 resource "aws_security_group" "cluster_ec2" {
...
342 [ cidr_blocks = ["0.0.0.0/0"]
...
351 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:472
via ecs.tf:468-473 (egress)
via ecs.tf:456-474 (aws_security_group.ecs_service)
────────────────────────────────────────
456 resource "aws_security_group" "ecs_service" {
...
472 [ cidr_blocks = ["0.0.0.0/0"]
...
474 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
via github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:109-172 (module.s3-bucket)
via bastion_linux.tf:5-37 (module.bastion_linux)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)

Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

loadbalancer.tf (terraform)

Tests: 6 (SUCCESSES: 2, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
loadbalancer.tf:28
via loadbalancer.tf:23-29 (aws_lb.ifs_lb)
────────────────────────────────────────
23 resource "aws_lb" "ifs_lb" {
24 name = "ifs-load-balancer"
25 load_balancer_type = "application"
26 security_groups = [aws_security_group.ifs_lb_sc.id]
27 subnets = data.aws_subnets.shared-public.ids
28 [ drop_invalid_header_fields = false
29 }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
loadbalancer.tf:23-29
────────────────────────────────────────
23 ┌ resource "aws_lb" "ifs_lb" {
24 │ name = "ifs-load-balancer"
25 │ load_balancer_type = "application"
26 │ security_groups = [aws_security_group.ifs_lb_sc.id]
27 │ subnets = data.aws_subnets.shared-public.ids
28 │ drop_invalid_header_fields = false
29 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
loadbalancer.tf:19
via loadbalancer.tf:14-20 (egress)
via loadbalancer.tf:1-21 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "ifs_lb_sc" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
21 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
loadbalancer.tf:11
via loadbalancer.tf:6-12 (ingress)
via loadbalancer.tf:1-21 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "ifs_lb_sc" {
.
11 [ cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
..
21 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Checkov in terraform/environments/cdpt-ifs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-20 15:41:04,528 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 97, Failed checks: 39, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:5-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   extra_user_data_content = "yum install -y openldap-clients"
		33 | 
		34 |   # Tags
		35 |   tags_common = local.tags
		36 |   tags_prefix = terraform.workspace
		37 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.db
	File: /database.tf:33-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		33 | resource "aws_security_group" "db" {
		34 |   name        = "${local.application_name}-db-sg"
		35 |   description = "Allow DB inbound traffic"
		36 |   vpc_id      = data.aws_vpc.shared.id
		37 |   ingress {
		38 |     from_port   = 1433
		39 |     to_port     = 1433
		40 |     protocol    = "tcp"
		41 |     cidr_blocks = [data.aws_vpc.shared.cidr_block]
		42 |   }
		43 |   egress {
		44 |     from_port   = 0
		45 |     to_port     = 0
		46 |     protocol    = "-1"
		47 |     cidr_blocks = ["0.0.0.0/0"]
		48 |   }
		49 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.rds-kms
	File: /database.tf:66-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		66 | data "aws_iam_policy_document" "rds-kms" {
		67 |   statement {
		68 |     effect    = "Allow"
		69 |     actions   = ["kms:*"]
		70 |     resources = ["*"]
		71 |     principals {
		72 |       type        = "AWS"
		73 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		74 |     }
		75 |   }
		76 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogGroup",
		30 |                 "logs:CreateLogStream",
		31 |                 "logs:GetLogEvents",
		32 |                 "logs:PutLogEvents",
		33 |                 "logs:DescribeLogGroups",
		34 |                 "logs:DescribeLogStreams",
		35 |                 "logs:PutRetentionPolicy",
		36 |                 "s3:ListBucket",
		37 |                 "s3:*Object*",
		38 |                 "kms:Decrypt",
		39 |                 "kms:Encrypt",
		40 |                 "kms:GenerateDataKey",
		41 |                 "kms:ReEncrypt",
		42 |                 "kms:GenerateDataKey",
		43 |                 "kms:DescribeKey",
		44 |                 "rds:Connect",
		45 |                 "rds:DescribeDBInstances"
		46 |             ],
		47 |             "Resource": "*"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogGroup",
		30 |                 "logs:CreateLogStream",
		31 |                 "logs:GetLogEvents",
		32 |                 "logs:PutLogEvents",
		33 |                 "logs:DescribeLogGroups",
		34 |                 "logs:DescribeLogStreams",
		35 |                 "logs:PutRetentionPolicy",
		36 |                 "s3:ListBucket",
		37 |                 "s3:*Object*",
		38 |                 "kms:Decrypt",
		39 |                 "kms:Encrypt",
		40 |                 "kms:GenerateDataKey",
		41 |                 "kms:ReEncrypt",
		42 |                 "kms:GenerateDataKey",
		43 |                 "kms:DescribeKey",
		44 |                 "rds:Connect",
		45 |                 "rds:DescribeDBInstances"
		46 |             ],
		47 |             "Resource": "*"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogGroup",
		30 |                 "logs:CreateLogStream",
		31 |                 "logs:GetLogEvents",
		32 |                 "logs:PutLogEvents",
		33 |                 "logs:DescribeLogGroups",
		34 |                 "logs:DescribeLogStreams",
		35 |                 "logs:PutRetentionPolicy",
		36 |                 "s3:ListBucket",
		37 |                 "s3:*Object*",
		38 |                 "kms:Decrypt",
		39 |                 "kms:Encrypt",
		40 |                 "kms:GenerateDataKey",
		41 |                 "kms:ReEncrypt",
		42 |                 "kms:GenerateDataKey",
		43 |                 "kms:DescribeKey",
		44 |                 "rds:Connect",
		45 |                 "rds:DescribeDBInstances"
		46 |             ],
		47 |             "Resource": "*"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_instance_policy
	File: /ecs.tf:6-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		6  | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards
		7  |   name = "${local.application_name}-ec2-instance-policy"
		8  | 
		9  |   policy = <<EOF
		10 | {
		11 |     "Version": "2012-10-17",
		12 |     "Statement": [
		13 |         {
		14 |             "Effect": "Allow",
		15 |             "Action": [
		16 |                 "ec2:DescribeTags",
		17 |                 "ecs:CreateCluster",
		18 |                 "ecs:DeregisterContainerInstance",
		19 |                 "ecs:DiscoverPollEndpoint",
		20 |                 "ecs:Poll",
		21 |                 "ecs:RegisterContainerInstance",
		22 |                 "ecs:StartTelemetrySession",
		23 |                 "ecs:UpdateContainerInstancesState",
		24 |                 "ecs:Submit*",
		25 |                 "ecr:GetAuthorizationToken",
		26 |                 "ecr:BatchCheckLayerAvailability",
		27 |                 "ecr:GetDownloadUrlForLayer",
		28 |                 "ecr:BatchGetImage",
		29 |                 "logs:CreateLogGroup",
		30 |                 "logs:CreateLogStream",
		31 |                 "logs:GetLogEvents",
		32 |                 "logs:PutLogEvents",
		33 |                 "logs:DescribeLogGroups",
		34 |                 "logs:DescribeLogStreams",
		35 |                 "logs:PutRetentionPolicy",
		36 |                 "s3:ListBucket",
		37 |                 "s3:*Object*",
		38 |                 "kms:Decrypt",
		39 |                 "kms:Encrypt",
		40 |                 "kms:GenerateDataKey",
		41 |                 "kms:ReEncrypt",
		42 |                 "kms:GenerateDataKey",
		43 |                 "kms:DescribeKey",
		44 |                 "rds:Connect",
		45 |                 "rds:DescribeDBInstances"
		46 |             ],
		47 |             "Resource": "*"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:54-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		54 | resource "aws_cloudwatch_log_group" "deployment_logs" {
		55 |   name              = "/aws/events/deploymentLogs"
		56 |   retention_in_days = "7"
		57 | }

Check: CKV_AWS_336: "Ensure ECS containers are limited to read-only access to root filesystems"
	FAILED for resource: aws_ecs_task_definition.ifs_task_definition
	File: /ecs.tf:84-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-336

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:230-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		230 | resource "aws_iam_role_policy" "app_execution" {
		231 |   name = "execution-${var.networking[0].application}"
		232 |   role = aws_iam_role.app_execution.id
		233 | 
		234 |   policy = <<-EOF
		235 |   {
		236 |     "Version": "2012-10-17",
		237 |     "Statement": [
		238 |       {
		239 |            "Action": [
		240 |               "ecr:*",
		241 |               "logs:CreateLogGroup",
		242 |               "logs:CreateLogStream",
		243 |               "logs:PutLogEvents",
		244 |               "logs:DescribeLogStreams",
		245 |               "secretsmanager:GetSecretValue"
		246 |            ],
		247 |            "Resource": "*",
		248 |            "Effect": "Allow"
		249 |       }
		250 |     ]
		251 |   }
		252 |   EOF
		253 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:230-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		230 | resource "aws_iam_role_policy" "app_execution" {
		231 |   name = "execution-${var.networking[0].application}"
		232 |   role = aws_iam_role.app_execution.id
		233 | 
		234 |   policy = <<-EOF
		235 |   {
		236 |     "Version": "2012-10-17",
		237 |     "Statement": [
		238 |       {
		239 |            "Action": [
		240 |               "ecr:*",
		241 |               "logs:CreateLogGroup",
		242 |               "logs:CreateLogStream",
		243 |               "logs:PutLogEvents",
		244 |               "logs:DescribeLogStreams",
		245 |               "secretsmanager:GetSecretValue"
		246 |            ],
		247 |            "Resource": "*",
		248 |            "Effect": "Allow"
		249 |       }
		250 |     ]
		251 |   }
		252 |   EOF
		253 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:230-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		230 | resource "aws_iam_role_policy" "app_execution" {
		231 |   name = "execution-${var.networking[0].application}"
		232 |   role = aws_iam_role.app_execution.id
		233 | 
		234 |   policy = <<-EOF
		235 |   {
		236 |     "Version": "2012-10-17",
		237 |     "Statement": [
		238 |       {
		239 |            "Action": [
		240 |               "ecr:*",
		241 |               "logs:CreateLogGroup",
		242 |               "logs:CreateLogStream",
		243 |               "logs:PutLogEvents",
		244 |               "logs:DescribeLogStreams",
		245 |               "secretsmanager:GetSecretValue"
		246 |            ],
		247 |            "Resource": "*",
		248 |            "Effect": "Allow"
		249 |       }
		250 |     ]
		251 |   }
		252 |   EOF
		253 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:230-253
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		230 | resource "aws_iam_role_policy" "app_execution" {
		231 |   name = "execution-${var.networking[0].application}"
		232 |   role = aws_iam_role.app_execution.id
		233 | 
		234 |   policy = <<-EOF
		235 |   {
		236 |     "Version": "2012-10-17",
		237 |     "Statement": [
		238 |       {
		239 |            "Action": [
		240 |               "ecr:*",
		241 |               "logs:CreateLogGroup",
		242 |               "logs:CreateLogStream",
		243 |               "logs:PutLogEvents",
		244 |               "logs:DescribeLogStreams",
		245 |               "secretsmanager:GetSecretValue"
		246 |            ],
		247 |            "Resource": "*",
		248 |            "Effect": "Allow"
		249 |       }
		250 |     ]
		251 |   }
		252 |   EOF
		253 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:456-474
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		456 | resource "aws_security_group" "ecs_service" {
		457 |   name_prefix = "ecs-service-sg-"
		458 |   vpc_id      = data.aws_vpc.shared.id
		459 | 
		460 |   ingress {
		461 |     from_port       = 80
		462 |     to_port         = 80
		463 |     protocol        = "tcp"
		464 |     description     = "Allow traffic on port 80 from load balancer"
		465 |     security_groups = [aws_security_group.ifs_lb_sc.id]
		466 |   }
		467 | 
		468 |   egress {
		469 |     from_port   = 0
		470 |     to_port     = 0
		471 |     protocol    = "-1"
		472 |     cidr_blocks = ["0.0.0.0/0"]
		473 |   }
		474 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:519-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		519 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		520 |   name              = "${local.application_name}-ecs"
		521 |   retention_in_days = 30
		522 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.cloudwatch_group
	File: /ecs.tf:519-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		519 | resource "aws_cloudwatch_log_group" "cloudwatch_group" {
		520 |   name              = "${local.application_name}-ecs"
		521 |   retention_in_days = 30
		522 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ifs_lb
	File: /loadbalancer.tf:23-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		23 | resource "aws_lb" "ifs_lb" {
		24 |   name                       = "ifs-load-balancer"
		25 |   load_balancer_type         = "application"
		26 |   security_groups            = [aws_security_group.ifs_lb_sc.id]
		27 |   subnets                    = data.aws_subnets.shared-public.ids
		28 |   drop_invalid_header_fields = false
		29 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ifs_lb
	File: /loadbalancer.tf:23-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		23 | resource "aws_lb" "ifs_lb" {
		24 |   name                       = "ifs-load-balancer"
		25 |   load_balancer_type         = "application"
		26 |   security_groups            = [aws_security_group.ifs_lb_sc.id]
		27 |   subnets                    = data.aws_subnets.shared-public.ids
		28 |   drop_invalid_header_fields = false
		29 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.ifs_lb
	File: /loadbalancer.tf:23-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		23 | resource "aws_lb" "ifs_lb" {
		24 |   name                       = "ifs-load-balancer"
		25 |   load_balancer_type         = "application"
		26 |   security_groups            = [aws_security_group.ifs_lb_sc.id]
		27 |   subnets                    = data.aws_subnets.shared-public.ids
		28 |   drop_invalid_header_fields = false
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dbase_password
	File: /secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "dbase_password" {
		2 |   name = "dbase_password"
		3 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database
	File: /database.tf:5-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		5  | resource "aws_db_instance" "database" {
		6  |   allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
		7  |   storage_type              = "gp2"
		8  |   engine                    = "sqlserver-web"
		9  |   engine_version            = "14.00.3381.3.v1"
		10 |   instance_class            = local.application_data.accounts[local.environment].db_instance_class
		11 |   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
		12 |   username                  = local.application_data.accounts[local.environment].db_user
		13 |   password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
		14 |   vpc_security_group_ids    = [aws_security_group.db.id]
		15 |   depends_on                = [aws_security_group.db]
		16 |   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
		17 |   db_subnet_group_name      = aws_db_subnet_group.db.id
		18 |   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"
		19 |   publicly_accessible       = false
		20 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.ifs_lb
	File: /loadbalancer.tf:23-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		23 | resource "aws_lb" "ifs_lb" {
		24 |   name                       = "ifs-load-balancer"
		25 |   load_balancer_type         = "application"
		26 |   security_groups            = [aws_security_group.ifs_lb_sc.id]
		27 |   subnets                    = data.aws_subnets.shared-public.ids
		28 |   drop_invalid_header_fields = false
		29 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:180-202
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		180 | resource "aws_iam_role_policy" "app_task" {
		181 |   name = "task-${var.networking[0].application}"
		182 |   role = aws_iam_role.app_task.id
		183 | 
		184 |   policy = <<-EOF
		185 |   {
		186 |    "Version": "2012-10-17",
		187 |    "Statement": [
		188 |      {
		189 |        "Effect": "Allow",
		190 |         "Action": [
		191 |           "logs:CreateLogStream",
		192 |           "logs:PutLogEvents",
		193 |           "ecr:*",
		194 |           "iam:*",
		195 |           "ec2:*"
		196 |         ],
		197 |        "Resource": "*"
		198 |      }
		199 |    ]
		200 |   }
		201 |   EOF
		202 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running tflint in terraform/environments/cdpt-ifs
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 114:
 114:           value = "${aws_db_instance.database.address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 118:
 118:           value = "${aws_db_instance.database.username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 122:
 122:           value = "${local.application_data.accounts[local.environment].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 126:
 126:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 130:
 130:           value = "${local.application_data.accounts[local.environment].env_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/cdpt-ifs/ecs.tf line 389:
 389:       Name = "${local.application_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/cdpt-ifs/secrets.tf line 5:
   5: resource "random_password" "password_long" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/cdpt-ifs

*****************************

Running Trivy in terraform/environments/cdpt-ifs
2024-06-20T15:40:58Z	INFO	Need to update DB
2024-06-20T15:40:58Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-20T15:41:00Z	INFO	Vulnerability scanning is enabled
2024-06-20T15:41:00Z	INFO	Misconfiguration scanning is enabled
2024-06-20T15:41:00Z	INFO	Need to update the built-in policies
2024-06-20T15:41:00Z	INFO	Downloading the built-in policies...
53.79 KiB / 53.79 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-20T15:41:00Z	INFO	Secret scanning is enabled
2024-06-20T15:41:00Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-20T15:41:00Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-20T15:41:02Z	INFO	Number of language-specific files	num=0
2024-06-20T15:41:02Z	INFO	Detected config files	num=7

database.tf (terraform)
=======================
Tests: 3 (SUCCESSES: 1, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 database.tf:5-20
────────────────────────────────────────
   5resource "aws_db_instance" "database" {
   6allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
   7storage_type              = "gp2"
   8engine                    = "sqlserver-web"
   9engine_version            = "14.00.3381.3.v1"
  10instance_class            = local.application_data.accounts[local.environment].db_instance_class
  11identifier                = local.application_data.accounts[local.environment].db_instance_identifier
  12username                  = local.application_data.accounts[local.environment].db_user
  13password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 database.tf:47
   via database.tf:43-48 (egress)
    via database.tf:33-49 (aws_security_group.db)
────────────────────────────────────────
  33   resource "aws_security_group" "db" {
  ..   
  47 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  49   }
────────────────────────────────────────



ecs.tf (terraform)
==================
Tests: 75 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 68)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:342
   via ecs.tf:337-343 (egress)
    via ecs.tf:316-351 (aws_security_group.cluster_ec2)
────────────────────────────────────────
 316   resource "aws_security_group" "cluster_ec2" {
 ...   
 342 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 351   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:472
   via ecs.tf:468-473 (egress)
    via ecs.tf:456-474 (aws_security_group.ecs_service)
────────────────────────────────────────
 456   resource "aws_security_group" "ecs_service" {
 ...   
 472 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 474   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf (terraform)
===============================================================================================================================================================================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179
   via github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:109-172 (module.s3-bucket)
    via bastion_linux.tf:5-37 (module.bastion_linux)
────────────────────────────────────────
 171resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf (terraform)
==========================================================================================================
Tests: 7 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


loadbalancer.tf (terraform)
===========================
Tests: 6 (SUCCESSES: 2, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (HIGH: 2, CRITICAL: 2)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 loadbalancer.tf:28
   via loadbalancer.tf:23-29 (aws_lb.ifs_lb)
────────────────────────────────────────
  23   resource "aws_lb" "ifs_lb" {
  24     name                       = "ifs-load-balancer"
  25     load_balancer_type         = "application"
  26     security_groups            = [aws_security_group.ifs_lb_sc.id]
  27     subnets                    = data.aws_subnets.shared-public.ids
  28 [   drop_invalid_header_fields = false
  29   }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 loadbalancer.tf:23-29
────────────────────────────────────────
  23resource "aws_lb" "ifs_lb" {
  24 │   name                       = "ifs-load-balancer"
  25 │   load_balancer_type         = "application"
  26 │   security_groups            = [aws_security_group.ifs_lb_sc.id]
  27 │   subnets                    = data.aws_subnets.shared-public.ids
  28 │   drop_invalid_header_fields = false
  29 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 loadbalancer.tf:19
   via loadbalancer.tf:14-20 (egress)
    via loadbalancer.tf:1-21 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "ifs_lb_sc" {
   .   
  19 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  21   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 loadbalancer.tf:11
   via loadbalancer.tf:6-12 (ingress)
    via loadbalancer.tf:1-21 (aws_security_group.ifs_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "ifs_lb_sc" {
   .   
  11 [     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
  ..   
  21   }
────────────────────────────────────────


trivy_exitcode=1

@fshafaatmoj fshafaatmoj merged commit 002816f into main Jun 21, 2024
13 of 14 checks passed
@fshafaatmoj fshafaatmoj deleted the LogGroupAndDBPasswordSecretErrorFix branch June 21, 2024 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roncitrus roncitrus roncitrus approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fshafaatmoj @roncitrus