nextcloud LDAP config updated #6797

IjazMoJ · 2024-06-28T15:18:58Z

No description provided.

github-actions · 2024-06-28T15:21:21Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud

Running Trivy in terraform/environments/delius-nextcloud/modules/components/nextcloud
2024-06-28T15:21:11Z INFO Need to update DB
2024-06-28T15:21:11Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-28T15:21:13Z INFO Vulnerability scanning is enabled
2024-06-28T15:21:13Z INFO Misconfiguration scanning is enabled
2024-06-28T15:21:13Z INFO Need to update the built-in policies
2024-06-28T15:21:13Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-28T15:21:13Z INFO Secret scanning is enabled
2024-06-28T15:21:13Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-28T15:21:13Z INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-28T15:21:15Z INFO Number of language-specific files num=0
2024-06-28T15:21:15Z INFO Detected config files num=17

../../../../delius-core/modules/helpers/delius_microservice/sg.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
../../../../delius-core/modules/helpers/delius_microservice/sg.tf:47
via ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
via ecs_service.tf:1-139 (module.nextcloud_service)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

../../../../delius-core/modules/helpers/ecs_policies/main.tf (terraform)

Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

alb.tf (terraform)

Tests: 5 (SUCCESSES: 2, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 2, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
alb.tf:14
via alb.tf:10-21 (aws_alb_listener.nextcloud_https)
────────────────────────────────────────
10 resource "aws_alb_listener" "nextcloud_https" {
..
14 [ ssl_policy = "ELBSecurityPolicy-2016-08"
..
21 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:1-8
────────────────────────────────────────
1 ┌ resource "aws_alb" "nextcloud" {
2 │ name = "nextcloud"
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.nextcloud_alb_sg.id]
6 │ subnets = var.account_config.public_subnet_ids
7 │ tags = var.tags
8 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:3
via alb.tf:1-8 (aws_alb.nextcloud)
────────────────────────────────────────
1 resource "aws_alb" "nextcloud" {
2 name = "nextcloud"
3 [ internal = false
4 load_balancer_type = "application"
5 security_groups = [aws_security_group.nextcloud_alb_sg.id]
6 subnets = var.account_config.public_subnet_ids
7 tags = var.tags
8 }
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
via s3.tf:1-56 (module.s3_bucket_config)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────

migration.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

pagerduty.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
pagerduty.tf:7-9
────────────────────────────────────────
7 ┌ resource "aws_sns_topic" "nextcloud_alarms" {
8 │ name = "nextcloud-alarms-${var.env_name}"
9 └ }
────────────────────────────────────────

ses.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud

*****************************

Running Checkov in terraform/environments/delius-nextcloud/modules/components/nextcloud
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-06-28 15:21:18,294 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-06-28 15:21:18,294 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 353, Failed checks: 45, Skipped checks: 4

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.nextcloud_service.aws_cloudwatch_log_group.ecs
	File: /../../../../delius-core/modules/helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.nextcloud_service.aws_cloudwatch_log_group.ecs
	File: /../../../../delius-core/modules/helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.nextcloud_service.container_definition
	File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:1-23
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   secrets       = local.calculated_container_secrets_list
		13 |   port_mappings = var.container_port_config
		14 |   mount_points  = var.mount_points
		15 |   log_configuration = {
		16 |     logDriver = "awslogs"
		17 |     options = {
		18 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		19 |       "awslogs-region"        = "eu-west-2"
		20 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		21 |     }
		22 |   }
		23 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.nextcloud_service.ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:33-70
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		33 | module "ecs_service" {
		34 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		35 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		36 |   cluster_arn           = var.ecs_cluster_arn
		37 |   name                  = var.name
		38 | 
		39 |   task_cpu    = var.container_cpu
		40 |   task_memory = var.container_memory
		41 | 
		42 |   desired_count                      = var.desired_count
		43 |   deployment_maximum_percent         = var.deployment_maximum_percent
		44 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		45 | 
		46 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		47 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		48 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		49 | 
		50 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		51 | 
		52 |   service_load_balancers = concat([{
		53 |     target_group_arn = aws_lb_target_group.frontend.arn
		54 |     container_name   = var.name
		55 |     container_port   = var.container_port_config[0].containerPort
		56 |     }],
		57 |   values(local.ecs_nlbs))
		58 | 
		59 |   efs_volumes = var.efs_volumes
		60 | 
		61 |   security_groups = [aws_security_group.ecs_service.id]
		62 | 
		63 |   subnets = var.account_config.private_subnet_ids
		64 | 
		65 |   enable_execute_command = true
		66 | 
		67 |   ignore_changes = var.ignore_changes_service_task_definition
		68 | 
		69 |   tags = var.tags
		70 | }

Check: CKV_AWS_319: "Ensure that CloudWatch alarm actions are enabled"
	FAILED for resource: module.nextcloud_service.aws_cloudwatch_metric_alarm.log_error_warning_alarm[0]
	File: /../../../../delius-core/modules/helpers/delius_microservice/ecs_monitoring.tf:120-149
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-319

		120 | resource "aws_cloudwatch_metric_alarm" "log_error_warning_alarm" {
		121 |   count               = var.log_error_pattern != "" ? 1 : 0
		122 |   alarm_name          = "${var.name}-${var.env_name}-logged-errors-warning"
		123 |   alarm_description   = "Error messages were detected in the `${var.name}` logs."
		124 |   comparison_operator = "GreaterThanUpperThreshold"
		125 |   threshold_metric_id = "ad1"
		126 |   evaluation_periods  = 2
		127 |   alarm_actions       = [var.sns_topic_arn]
		128 |   ok_actions          = [var.sns_topic_arn]
		129 |   actions_enabled     = false # Disabled initially, while anomaly detection models are trained
		130 | 
		131 |   metric_query {
		132 |     id          = "ad1"
		133 |     expression  = "ANOMALY_DETECTION_BAND(m1)"
		134 |     label       = "${aws_cloudwatch_log_metric_filter.log_error_filter.0.metric_transformation.0.name} (expected)"
		135 |     return_data = true
		136 |   }
		137 | 
		138 |   metric_query {
		139 |     id          = "m1"
		140 |     label       = aws_cloudwatch_log_metric_filter.log_error_filter.0.metric_transformation.0.name
		141 |     return_data = true
		142 |     metric {
		143 |       namespace   = aws_cloudwatch_log_metric_filter.log_error_filter.0.metric_transformation.0.namespace
		144 |       metric_name = aws_cloudwatch_log_metric_filter.log_error_filter.0.metric_transformation.0.name
		145 |       period      = 300
		146 |       stat        = "Sum"
		147 |     }
		148 |   }
		149 | }

Check: CKV_AWS_134: "Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on"
	FAILED for resource: module.nextcloud_service.aws_elasticache_cluster.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/elasticache.tf:8-23
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-amazon-elasticache-redis-clusters-have-automatic-backup-turned-on

		8  | resource "aws_elasticache_cluster" "this" {
		9  |   count                      = var.create_elasticache ? 1 : 0
		10 |   cluster_id                 = "${var.name}-${var.env_name}"
		11 |   engine                     = var.elasticache_engine
		12 |   node_type                  = var.elasticache_node_type
		13 |   num_cache_nodes            = var.elasticache_num_cache_nodes
		14 |   parameter_group_name       = var.elasticache_parameter_group_name
		15 |   engine_version             = var.elasticache_engine_version
		16 |   port                       = var.elasticache_port
		17 |   subnet_group_name          = aws_elasticache_subnet_group.this[0].name
		18 |   apply_immediately          = var.elasticache_apply_immediately
		19 |   auto_minor_version_upgrade = true
		20 |   final_snapshot_identifier  = var.elasticache_engine == "redis" ? "final-redis-${var.name}-${var.env_name}" : null
		21 |   maintenance_window         = var.maintenance_window
		22 |   security_group_ids         = [aws_security_group.elasticache[0].id]
		23 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:89-97
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		89 | resource "aws_lb" "delius_microservices" {
		90 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		91 |   internal                   = true
		92 |   load_balancer_type         = "network"
		93 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		94 |   subnets                    = var.account_config.private_subnet_ids
		95 |   enable_deletion_protection = false
		96 |   tags                       = var.tags
		97 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:89-97
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		89 | resource "aws_lb" "delius_microservices" {
		90 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		91 |   internal                   = true
		92 |   load_balancer_type         = "network"
		93 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		94 |   subnets                    = var.account_config.private_subnet_ids
		95 |   enable_deletion_protection = false
		96 |   tags                       = var.tags
		97 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:89-97
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		89 | resource "aws_lb" "delius_microservices" {
		90 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		91 |   internal                   = true
		92 |   load_balancer_type         = "network"
		93 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		94 |   subnets                    = var.account_config.private_subnet_ids
		95 |   enable_deletion_protection = false
		96 |   tags                       = var.tags
		97 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:109-113
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		109 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		110 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		111 |   ip_protocol       = "-1"
		112 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		113 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:115-122
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		115 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		116 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		117 |   ip_protocol                  = "TCP"
		118 |   from_port                    = each.value
		119 |   to_port                      = each.value
		120 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		121 |   referenced_security_group_id = aws_security_group.ecs_service.id
		122 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:51-59
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:61-69
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.nextcloud_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../../../../delius-core/modules/helpers/ecs_policies/main.tf:104-122
	Calling File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:25-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.nextcloud_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../../../../delius-core/modules/helpers/ecs_policies/main.tf:104-122
	Calling File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:25-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["data"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["data"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.cluster
	File: /ecs_cluster.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_security_group" "cluster" {
		9  |   name   = "ecs-cluster-nextcloud-${var.env_name}"
		10 |   vpc_id = var.account_info.vpc_id
		11 |   lifecycle {
		12 |     create_before_destroy = true
		13 |   }
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs_cluster.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.2.1"
		3 |   name                      = "nextcloud-${var.env_name}-cluster"
		4 |   enable_container_insights = "enabled"
		5 |   tags                      = var.tags
		6 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.nextcloud_admin_password
	File: /ecs_service.tf:141-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		141 | resource "aws_secretsmanager_secret" "nextcloud_admin_password" {
		142 |   name = "nextcloud-admin-password"
		143 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.nextcloud_alarms
	File: /pagerduty.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		7 | resource "aws_sns_topic" "nextcloud_alarms" {
		8 |   name = "nextcloud-alarms-${var.env_name}"
		9 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.nextcloud_secret
	File: /s3.tf:63-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		63 | resource "aws_ssm_parameter" "nextcloud_secret" {
		64 |   name  = "/${var.env_name}/nextcloud/secret"
		65 |   type  = "SecureString"
		66 |   value = "replace_me"
		67 |   lifecycle {
		68 |     ignore_changes = [
		69 |       value
		70 |     ]
		71 |   }
		72 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_config
	File: /s3.tf:1-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["html"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["html"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["config"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["config"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["custom_apps"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["custom_apps"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["themes"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["themes"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.nextcloud_admin_password
	File: /ecs_service.tf:141-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		141 | resource "aws_secretsmanager_secret" "nextcloud_admin_password" {
		142 |   name = "nextcloud-admin-password"
		143 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.nextcloud_service.aws_security_group.ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster
	File: /ecs_cluster.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		8  | resource "aws_security_group" "cluster" {
		9  |   name   = "ecs-cluster-nextcloud-${var.env_name}"
		10 |   vpc_id = var.account_info.vpc_id
		11 |   lifecycle {
		12 |     create_before_destroy = true
		13 |   }
		14 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_alb_listener.nextcloud_https
	File: /alb.tf:10-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		10 | resource "aws_alb_listener" "nextcloud_https" {
		11 |   load_balancer_arn = aws_alb.nextcloud.arn
		12 |   port              = "443"
		13 |   protocol          = "HTTPS"
		14 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		15 |   certificate_arn   = aws_acm_certificate.nextcloud_external.arn
		16 | 
		17 |   default_action {
		18 |     type             = "forward"
		19 |     target_group_arn = module.nextcloud_service.target_group_arn
		20 |   }
		21 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud

*****************************

Running tflint in terraform/environments/delius-nextcloud/modules/components/nextcloud
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-nextcloud/modules/components/nextcloud/ecs_service.tf line 150:
 150: resource "random_password" "nextcloud_admin_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud

*****************************

Running Trivy in terraform/environments/delius-nextcloud/modules/components/nextcloud
2024-06-28T15:21:11Z	INFO	Need to update DB
2024-06-28T15:21:11Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-06-28T15:21:13Z	INFO	Vulnerability scanning is enabled
2024-06-28T15:21:13Z	INFO	Misconfiguration scanning is enabled
2024-06-28T15:21:13Z	INFO	Need to update the built-in policies
2024-06-28T15:21:13Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-06-28T15:21:13Z	INFO	Secret scanning is enabled
2024-06-28T15:21:13Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-28T15:21:13Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-28T15:21:15Z	INFO	Number of language-specific files	num=0
2024-06-28T15:21:15Z	INFO	Detected config files	num=17

../../../../delius-core/modules/helpers/delius_microservice/sg.tf (terraform)
=============================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:47
   via ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
    via ecs_service.tf:1-139 (module.nextcloud_service)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────



../../../../delius-core/modules/helpers/ecs_policies/main.tf (terraform)
========================================================================
Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)


alb.tf (terraform)
==================
Tests: 5 (SUCCESSES: 2, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 2, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 alb.tf:14
   via alb.tf:10-21 (aws_alb_listener.nextcloud_https)
────────────────────────────────────────
  10   resource "aws_alb_listener" "nextcloud_https" {
  ..   
  14 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
  ..   
  21   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:1-8
────────────────────────────────────────
   1 ┌ resource "aws_alb" "nextcloud" {
   2 │   name               = "nextcloud"
   3 │   internal           = false
   4 │   load_balancer_type = "application"
   5 │   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
   6 │   subnets            = var.account_config.public_subnet_ids
   7 │   tags               = var.tags
   8 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:3
   via alb.tf:1-8 (aws_alb.nextcloud)
────────────────────────────────────────
   1   resource "aws_alb" "nextcloud" {
   2     name               = "nextcloud"
   3 [   internal           = false
   4     load_balancer_type = "application"
   5     security_groups    = [aws_security_group.nextcloud_alb_sg.id]
   6     subnets            = var.account_config.public_subnet_ids
   7     tags               = var.tags
   8   }
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)
======================================================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165
   via s3.tf:1-56 (module.s3_bucket_config)
────────────────────────────────────────
 157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 158 │   bucket = aws_s3_bucket.default.id
 159 │   rule {
 160 │     apply_server_side_encryption_by_default {
 161 │       sse_algorithm     = var.sse_algorithm
 162 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 163 │     }
 164 │   }
 165 └ }
────────────────────────────────────────



migration.tf (terraform)
========================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


pagerduty.tf (terraform)
========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 pagerduty.tf:7-9
────────────────────────────────────────
   7 ┌ resource "aws_sns_topic" "nextcloud_alarms" {
   8 │   name = "nextcloud-alarms-${var.env_name}"
   9 └ }
────────────────────────────────────────



ses.tf (terraform)
==================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=1

nextcloud LDAP config updated

c5eee13

IjazMoJ requested review from a team as code owners June 28, 2024 15:18

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 28, 2024

georgepstaylor approved these changes Jun 28, 2024

View reviewed changes

IjazMoJ temporarily deployed to delius-nextcloud-development June 28, 2024 15:33 — with GitHub Actions Inactive

IjazMoJ merged commit 81f6676 into main Jun 28, 2024
15 of 16 checks passed

IjazMoJ deleted the NIT-1358/nextcloud_config_update_ldap branch June 28, 2024 15:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nextcloud LDAP config updated #6797

nextcloud LDAP config updated #6797

IjazMoJ commented Jun 28, 2024

github-actions bot commented Jun 28, 2024

../../../../delius-core/modules/helpers/delius_microservice/sg.tf (terraform)

../../../../delius-core/modules/helpers/ecs_policies/main.tf (terraform)

alb.tf (terraform)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)

migration.tf (terraform)

pagerduty.tf (terraform)

ses.tf (terraform)

nextcloud LDAP config updated #6797

nextcloud LDAP config updated #6797

Conversation

IjazMoJ commented Jun 28, 2024

github-actions bot commented Jun 28, 2024

Trivy Scan Failed

../../../../delius-core/modules/helpers/delius_microservice/sg.tf (terraform)

../../../../delius-core/modules/helpers/ecs_policies/main.tf (terraform)

alb.tf (terraform)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf (terraform)

migration.tf (terraform)

pagerduty.tf (terraform)

ses.tf (terraform)

CTFLint Scan Failed

Trivy Scan Failed

`Trivy Scan` Failed

`CTFLint Scan` Failed

`Trivy Scan` Failed