Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LAWS-3953 - transfer ebs volumes #7096

Merged
merged 3 commits into from
Jul 15, 2024
Merged

LAWS-3953 - transfer ebs volumes #7096

merged 3 commits into from
Jul 15, 2024

Conversation

ffteva-moj
Copy link
Contributor

No description provided.

@ffteva-moj ffteva-moj requested review from a team as code owners July 15, 2024 14:00
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jul 15, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/edw

Running Trivy in terraform/environments/edw
2024-07-15T14:02:14Z INFO Need to update DB
2024-07-15T14:02:14Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T14:02:16Z INFO Vulnerability scanning is enabled
2024-07-15T14:02:16Z INFO Misconfiguration scanning is enabled
2024-07-15T14:02:16Z INFO Need to update the built-in policies
2024-07-15T14:02:16Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T14:02:16Z INFO Secret scanning is enabled
2024-07-15T14:02:16Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T14:02:16Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T14:02:18Z INFO Number of language-specific files num=0
2024-07-15T14:02:18Z INFO Detected config files num=7

backup_lambda.tf (terraform)

Tests: 54 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 44)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
backup_lambda.tf:194
via backup_lambda.tf:189-195 (egress)
via backup_lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

cw.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
cw.tf:558-566
────────────────────────────────────────
558 ┌ resource "aws_sns_topic" "edw_alerting_topic" {
559 │ name = "${local.application_name}-SNS-topic"
560 │ tags = merge(
561 │ local.tags,
562 │ {
563 │ Name = "${local.application_name}-edw-alerting-topic"
564 │ }
565 │ )
566 └ }
────────────────────────────────────────

ec2.tf (terraform)

Tests: 16 (SUCCESSES: 13, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:113-116
via ec2.tf:83-128 (aws_instance.edw_db_instance)
────────────────────────────────────────
83 resource "aws_instance" "edw_db_instance" {
..
113 ┌ metadata_options {
114 │ http_endpoint = "enabled"
115 │ http_put_response_hop_limit = 2
116 └ }
...
128 }
────────────────────────────────────────

HIGH: EBS block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2.tf:83-128
────────────────────────────────────────
83 ┌ resource "aws_instance" "edw_db_instance" {
84 │ ami = local.application_data.accounts[local.environment].edw_ec2_ami_id
85 │ availability_zone = "eu-west-2a"
86 │ instance_type = local.application_data.accounts[local.environment].edw_ec2_instance_type
87 │ iam_instance_profile = aws_iam_instance_profile.edw_ec2_instance_profile.id
88 │ key_name = aws_key_pair.edw_ec2_key.key_name
89 │ subnet_id = data.aws_subnet.private_subnets_a.id
90 │ vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
91 └ user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
..
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2.tf:83-128
────────────────────────────────────────
83 ┌ resource "aws_instance" "edw_db_instance" {
84 │ ami = local.application_data.accounts[local.environment].edw_ec2_ami_id
85 │ availability_zone = "eu-west-2a"
86 │ instance_type = local.application_data.accounts[local.environment].edw_ec2_instance_type
87 │ iam_instance_profile = aws_iam_instance_profile.edw_ec2_instance_profile.id
88 │ key_name = aws_key_pair.edw_ec2_key.key_name
89 │ subnet_id = data.aws_subnet.private_subnets_a.id
90 │ vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
91 └ user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
..
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

secret-rotate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.

Without this, any resource from principal will be granted permission – even if that resource is from another account.

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
secret-rotate.tf:189-193
────────────────────────────────────────
189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
190 │ action = "lambda:InvokeFunction"
191 │ function_name = aws_lambda_function.rotate_secret_function.function_name
192 │ principal = "secretsmanager.amazonaws.com"
193 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/edw

*****************************

Running Checkov in terraform/environments/edw
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 14:02:20,720 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-07-15 14:02:20,720 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 125, Failed checks: 62, Skipped checks: 0

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion-${local.application_name}"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = false
		27 |   app_name           = var.networking[0].application
		28 |   business_unit      = local.vpc_name
		29 |   subnet_set         = local.subnet_set
		30 |   environment        = local.environment
		31 |   region             = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.edw_alerting_topic
	File: /cw.tf:558-566
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		558 | resource "aws_sns_topic" "edw_alerting_topic" {
		559 |   name = "${local.application_name}-SNS-topic"
		560 |   tags = merge(
		561 |     local.tags,
		562 |     {
		563 |       Name = "${local.application_name}-edw-alerting-topic"
		564 |     }
		565 |   )
		566 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: edw_pagerduty_core_alerts
	File: /cw.tf:588-595
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		588 | module "edw_pagerduty_core_alerts" {
		589 |   depends_on = [
		590 |     aws_sns_topic.edw_alerting_topic
		591 |   ]
		592 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		593 |   sns_topics                = [aws_sns_topic.edw_alerting_topic.name]
		594 |   pagerduty_integration_key = local.edw_pagerduty_integration_keys[local.edw_pagerduty_integration_key_name]
		595 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db-master-password
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "db-master-password" {
		14 |   name        = "${local.application_name}/app/db-master-password-"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password"
		21 |     }
		22 |   )
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.edw_db_ec2_root_secret
	File: /secret-rotate.tf:43-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		43 | resource "aws_secretsmanager_secret" "edw_db_ec2_root_secret" {
		44 |   name        = "${local.application_name}/app/db-EC2-root-password-${random_string.edw-root-secret_id_suffix.result}"
		45 |   description = "EDW DB EC2 Root Password"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     {
		50 |       Name = "${local.application_name}-ec2-system-root-password"
		51 |     }
		52 |   )
		53 | }

Check: CKV_AWS_304: "Ensure Secrets Manager secrets should be rotated within 90 days"
	FAILED for resource: aws_secretsmanager_secret_rotation.edw_db_root_rotate
	File: /secret-rotate.tf:60-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-304

		60 | resource "aws_secretsmanager_secret_rotation" "edw_db_root_rotate" {
		61 |   secret_id           = aws_secretsmanager_secret.edw_db_ec2_root_secret.id
		62 |   rotation_lambda_arn = aws_lambda_function.rotate_secret_function.arn
		63 |   rotate_immediately  = true
		64 | 
		65 |   rotation_rules {
		66 |     automatically_after_days = local.application_data.accounts[local.environment].secret_rotation_frequency_days
		67 |   }
		68 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.rotate_secret_function_permission
	File: /secret-rotate.tf:189-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		189 | resource "aws_lambda_permission" "rotate_secret_function_permission" {
		190 |   action        = "lambda:InvokeFunction"
		191 |   function_name = aws_lambda_function.rotate_secret_function.function_name
		192 |   principal     = "secretsmanager.amazonaws.com"
		193 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db-master-password
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		13 | resource "aws_secretsmanager_secret" "db-master-password" {
		14 |   name        = "${local.application_name}/app/db-master-password-"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password"
		21 |     }
		22 |   )
		23 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/edw

*****************************

Running tflint in terraform/environments/edw
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/edw/ec2.tf line 125:
 125:       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/platform_providers.tf line 60:
  60: provider "time" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 38:
  38: resource "random_string" "edw-initial_root_secret_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 75:
  75: data "archive_file" "lambda_inline_code" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/edw/secret-rotate.tf line 81:
  81:     content  = file("${local.application_data.accounts[local.environment].lambda_function_inline_code_filename}")

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/edw

*****************************

Running Trivy in terraform/environments/edw
2024-07-15T14:02:14Z	INFO	Need to update DB
2024-07-15T14:02:14Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T14:02:16Z	INFO	Vulnerability scanning is enabled
2024-07-15T14:02:16Z	INFO	Misconfiguration scanning is enabled
2024-07-15T14:02:16Z	INFO	Need to update the built-in policies
2024-07-15T14:02:16Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T14:02:16Z	INFO	Secret scanning is enabled
2024-07-15T14:02:16Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T14:02:16Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T14:02:18Z	INFO	Number of language-specific files	num=0
2024-07-15T14:02:18Z	INFO	Detected config files	num=7

backup_lambda.tf (terraform)
============================
Tests: 54 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 44)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 backup_lambda.tf:194
   via backup_lambda.tf:189-195 (egress)
    via backup_lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
 184   resource "aws_security_group" "backup_lambda" {
 ...   
 194 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 201   }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



cw.tf (terraform)
=================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 cw.tf:558-566
────────────────────────────────────────
 558resource "aws_sns_topic" "edw_alerting_topic" {
 559 │   name = "${local.application_name}-SNS-topic"
 560 │   tags = merge(
 561 │     local.tags,
 562 │     {
 563 │       Name = "${local.application_name}-edw-alerting-topic"
 564 │     }
 565 │   )
 566 └ }
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 16 (SUCCESSES: 13, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:113-116
   via ec2.tf:83-128 (aws_instance.edw_db_instance)
────────────────────────────────────────
  83   resource "aws_instance" "edw_db_instance" {
  ..   
 113 ┌   metadata_options {
 114 │     http_endpoint               = "enabled"
 115 │     http_put_response_hop_limit = 2
 116 └   }
 ...   
 128   }
────────────────────────────────────────


HIGH: EBS block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2.tf:83-128
────────────────────────────────────────
  83resource "aws_instance" "edw_db_instance" {
  84 │   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
  85 │   availability_zone      = "eu-west-2a"
  86 │   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
  87 │   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
  88 │   key_name               = aws_key_pair.edw_ec2_key.key_name
  89 │   subnet_id              = data.aws_subnet.private_subnets_a.id
  90 │   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
  91 └   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
  ..   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2.tf:83-128
────────────────────────────────────────
  83 ┌ resource "aws_instance" "edw_db_instance" {
  84 │   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
  85 │   availability_zone      = "eu-west-2a"
  86 │   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
  87 │   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
  88 │   key_name               = aws_key_pair.edw_ec2_key.key_name
  89 │   subnet_id              = data.aws_subnet.private_subnets_a.id
  90 │   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
  91 └   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
  ..   
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


secret-rotate.tf (terraform)
============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. 

Without this, any resource from principal will be granted permission – even if that resource is from another account. 

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 secret-rotate.tf:189-193
────────────────────────────────────────
 189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
 190 │   action        = "lambda:InvokeFunction"
 191 │   function_name = aws_lambda_function.rotate_secret_function.function_name
 192 │   principal     = "secretsmanager.amazonaws.com"
 193 └ }
────────────────────────────────────────


trivy_exitcode=1

@ffteva-moj ffteva-moj temporarily deployed to edw-development July 15, 2024 14:02 — with GitHub Actions Inactive
LAWS-3953 - Update ec2 key
e1a93e2 
Signed-off-by: Fani Foteva <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/edw

Running Trivy in terraform/environments/edw
2024-07-15T14:59:56Z INFO Need to update DB
2024-07-15T14:59:56Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T14:59:58Z INFO Vulnerability scanning is enabled
2024-07-15T14:59:58Z INFO Misconfiguration scanning is enabled
2024-07-15T14:59:58Z INFO Need to update the built-in policies
2024-07-15T14:59:58Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T14:59:58Z INFO Secret scanning is enabled
2024-07-15T14:59:58Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T14:59:58Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T14:59:59Z INFO Number of language-specific files num=0
2024-07-15T14:59:59Z INFO Detected config files num=7

backup_lambda.tf (terraform)

Tests: 54 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 44)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
backup_lambda.tf:194
via backup_lambda.tf:189-195 (egress)
via backup_lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

cw.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
cw.tf:558-566
────────────────────────────────────────
558 ┌ resource "aws_sns_topic" "edw_alerting_topic" {
559 │ name = "${local.application_name}-SNS-topic"
560 │ tags = merge(
561 │ local.tags,
562 │ {
563 │ Name = "${local.application_name}-edw-alerting-topic"
564 │ }
565 │ )
566 └ }
────────────────────────────────────────

ec2.tf (terraform)

Tests: 16 (SUCCESSES: 13, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:113-116
via ec2.tf:83-128 (aws_instance.edw_db_instance)
────────────────────────────────────────
83 resource "aws_instance" "edw_db_instance" {
..
113 ┌ metadata_options {
114 │ http_endpoint = "enabled"
115 │ http_put_response_hop_limit = 2
116 └ }
...
128 }
────────────────────────────────────────

HIGH: EBS block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2.tf:83-128
────────────────────────────────────────
83 ┌ resource "aws_instance" "edw_db_instance" {
84 │ ami = local.application_data.accounts[local.environment].edw_ec2_ami_id
85 │ availability_zone = "eu-west-2a"
86 │ instance_type = local.application_data.accounts[local.environment].edw_ec2_instance_type
87 │ iam_instance_profile = aws_iam_instance_profile.edw_ec2_instance_profile.id
88 │ key_name = aws_key_pair.edw_ec2_key.key_name
89 │ subnet_id = data.aws_subnet.private_subnets_a.id
90 │ vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
91 └ user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
..
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2.tf:83-128
────────────────────────────────────────
83 ┌ resource "aws_instance" "edw_db_instance" {
84 │ ami = local.application_data.accounts[local.environment].edw_ec2_ami_id
85 │ availability_zone = "eu-west-2a"
86 │ instance_type = local.application_data.accounts[local.environment].edw_ec2_instance_type
87 │ iam_instance_profile = aws_iam_instance_profile.edw_ec2_instance_profile.id
88 │ key_name = aws_key_pair.edw_ec2_key.key_name
89 │ subnet_id = data.aws_subnet.private_subnets_a.id
90 │ vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
91 └ user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
..
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

secret-rotate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.

Without this, any resource from principal will be granted permission – even if that resource is from another account.

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
secret-rotate.tf:189-193
────────────────────────────────────────
189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
190 │ action = "lambda:InvokeFunction"
191 │ function_name = aws_lambda_function.rotate_secret_function.function_name
192 │ principal = "secretsmanager.amazonaws.com"
193 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/edw

*****************************

Running Checkov in terraform/environments/edw
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 15:00:02,172 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-07-15 15:00:02,172 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 125, Failed checks: 62, Skipped checks: 0

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion-${local.application_name}"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = false
		27 |   app_name           = var.networking[0].application
		28 |   business_unit      = local.vpc_name
		29 |   subnet_set         = local.subnet_set
		30 |   environment        = local.environment
		31 |   region             = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.edw_alerting_topic
	File: /cw.tf:558-566
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		558 | resource "aws_sns_topic" "edw_alerting_topic" {
		559 |   name = "${local.application_name}-SNS-topic"
		560 |   tags = merge(
		561 |     local.tags,
		562 |     {
		563 |       Name = "${local.application_name}-edw-alerting-topic"
		564 |     }
		565 |   )
		566 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: edw_pagerduty_core_alerts
	File: /cw.tf:588-595
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		588 | module "edw_pagerduty_core_alerts" {
		589 |   depends_on = [
		590 |     aws_sns_topic.edw_alerting_topic
		591 |   ]
		592 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		593 |   sns_topics                = [aws_sns_topic.edw_alerting_topic.name]
		594 |   pagerduty_integration_key = local.edw_pagerduty_integration_keys[local.edw_pagerduty_integration_key_name]
		595 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db-master-password
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "db-master-password" {
		14 |   name        = "${local.application_name}/app/db-master-password-"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password"
		21 |     }
		22 |   )
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.edw_db_ec2_root_secret
	File: /secret-rotate.tf:43-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		43 | resource "aws_secretsmanager_secret" "edw_db_ec2_root_secret" {
		44 |   name        = "${local.application_name}/app/db-EC2-root-password-${random_string.edw-root-secret_id_suffix.result}"
		45 |   description = "EDW DB EC2 Root Password"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     {
		50 |       Name = "${local.application_name}-ec2-system-root-password"
		51 |     }
		52 |   )
		53 | }

Check: CKV_AWS_304: "Ensure Secrets Manager secrets should be rotated within 90 days"
	FAILED for resource: aws_secretsmanager_secret_rotation.edw_db_root_rotate
	File: /secret-rotate.tf:60-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-304

		60 | resource "aws_secretsmanager_secret_rotation" "edw_db_root_rotate" {
		61 |   secret_id           = aws_secretsmanager_secret.edw_db_ec2_root_secret.id
		62 |   rotation_lambda_arn = aws_lambda_function.rotate_secret_function.arn
		63 |   rotate_immediately  = true
		64 | 
		65 |   rotation_rules {
		66 |     automatically_after_days = local.application_data.accounts[local.environment].secret_rotation_frequency_days
		67 |   }
		68 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.rotate_secret_function_permission
	File: /secret-rotate.tf:189-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		189 | resource "aws_lambda_permission" "rotate_secret_function_permission" {
		190 |   action        = "lambda:InvokeFunction"
		191 |   function_name = aws_lambda_function.rotate_secret_function.function_name
		192 |   principal     = "secretsmanager.amazonaws.com"
		193 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db-master-password
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		13 | resource "aws_secretsmanager_secret" "db-master-password" {
		14 |   name        = "${local.application_name}/app/db-master-password-"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password"
		21 |     }
		22 |   )
		23 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/edw

*****************************

Running tflint in terraform/environments/edw
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/backup_lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/edw/ec2.tf line 125:
 125:       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 38:
  38: resource "random_string" "edw-initial_root_secret_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 75:
  75: data "archive_file" "lambda_inline_code" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/edw/secret-rotate.tf line 81:
  81:     content  = file("${local.application_data.accounts[local.environment].lambda_function_inline_code_filename}")

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/edw

*****************************

Running Trivy in terraform/environments/edw
2024-07-15T14:59:56Z	INFO	Need to update DB
2024-07-15T14:59:56Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T14:59:58Z	INFO	Vulnerability scanning is enabled
2024-07-15T14:59:58Z	INFO	Misconfiguration scanning is enabled
2024-07-15T14:59:58Z	INFO	Need to update the built-in policies
2024-07-15T14:59:58Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T14:59:58Z	INFO	Secret scanning is enabled
2024-07-15T14:59:58Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T14:59:58Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T14:59:59Z	INFO	Number of language-specific files	num=0
2024-07-15T14:59:59Z	INFO	Detected config files	num=7

backup_lambda.tf (terraform)
============================
Tests: 54 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 44)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 backup_lambda.tf:194
   via backup_lambda.tf:189-195 (egress)
    via backup_lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
 184   resource "aws_security_group" "backup_lambda" {
 ...   
 194 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 201   }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



cw.tf (terraform)
=================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 cw.tf:558-566
────────────────────────────────────────
 558resource "aws_sns_topic" "edw_alerting_topic" {
 559 │   name = "${local.application_name}-SNS-topic"
 560 │   tags = merge(
 561 │     local.tags,
 562 │     {
 563 │       Name = "${local.application_name}-edw-alerting-topic"
 564 │     }
 565 │   )
 566 └ }
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 16 (SUCCESSES: 13, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:113-116
   via ec2.tf:83-128 (aws_instance.edw_db_instance)
────────────────────────────────────────
  83   resource "aws_instance" "edw_db_instance" {
  ..   
 113 ┌   metadata_options {
 114 │     http_endpoint               = "enabled"
 115 │     http_put_response_hop_limit = 2
 116 └   }
 ...   
 128   }
────────────────────────────────────────


HIGH: EBS block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2.tf:83-128
────────────────────────────────────────
  83resource "aws_instance" "edw_db_instance" {
  84 │   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
  85 │   availability_zone      = "eu-west-2a"
  86 │   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
  87 │   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
  88 │   key_name               = aws_key_pair.edw_ec2_key.key_name
  89 │   subnet_id              = data.aws_subnet.private_subnets_a.id
  90 │   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
  91 └   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
  ..   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2.tf:83-128
────────────────────────────────────────
  83 ┌ resource "aws_instance" "edw_db_instance" {
  84 │   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
  85 │   availability_zone      = "eu-west-2a"
  86 │   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
  87 │   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
  88 │   key_name               = aws_key_pair.edw_ec2_key.key_name
  89 │   subnet_id              = data.aws_subnet.private_subnets_a.id
  90 │   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
  91 └   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
  ..   
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


secret-rotate.tf (terraform)
============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. 

Without this, any resource from principal will be granted permission – even if that resource is from another account. 

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 secret-rotate.tf:189-193
────────────────────────────────────────
 189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
 190 │   action        = "lambda:InvokeFunction"
 191 │   function_name = aws_lambda_function.rotate_secret_function.function_name
 192 │   principal     = "secretsmanager.amazonaws.com"
 193 └ }
────────────────────────────────────────


trivy_exitcode=1

LAWS-3953 - Update key
d0d57ac 
Signed-off-by: Fani Foteva <[email protected]>
@ffteva-moj ffteva-moj temporarily deployed to edw-development July 15, 2024 15:06 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/edw

Running Trivy in terraform/environments/edw
2024-07-15T15:07:03Z INFO Need to update DB
2024-07-15T15:07:03Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T15:07:05Z INFO Vulnerability scanning is enabled
2024-07-15T15:07:05Z INFO Misconfiguration scanning is enabled
2024-07-15T15:07:05Z INFO Need to update the built-in policies
2024-07-15T15:07:05Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T15:07:06Z INFO Secret scanning is enabled
2024-07-15T15:07:06Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T15:07:06Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T15:07:09Z INFO Number of language-specific files num=0
2024-07-15T15:07:09Z INFO Detected config files num=7

backup_lambda.tf (terraform)

Tests: 54 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 44)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
backup_lambda.tf:194
via backup_lambda.tf:189-195 (egress)
via backup_lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
184 resource "aws_security_group" "backup_lambda" {
...
194 [ cidr_blocks = ["0.0.0.0/0"]
...
201 }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
backup_lambda.tf:101-107
────────────────────────────────────────
101 ┌ resource "aws_s3_bucket" "backup_lambda" {
102 │ bucket = "${local.application_name}-${local.environment}-backup-lambda"
103 │ tags = merge(
104 │ local.tags,
105 │ { Name = "${local.application_name}-${local.environment}-backup-lambda" }
106 │ )
107 └ }
────────────────────────────────────────

cw.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
cw.tf:558-566
────────────────────────────────────────
558 ┌ resource "aws_sns_topic" "edw_alerting_topic" {
559 │ name = "${local.application_name}-SNS-topic"
560 │ tags = merge(
561 │ local.tags,
562 │ {
563 │ Name = "${local.application_name}-edw-alerting-topic"
564 │ }
565 │ )
566 └ }
────────────────────────────────────────

ec2.tf (terraform)

Tests: 16 (SUCCESSES: 13, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:113-116
via ec2.tf:83-128 (aws_instance.edw_db_instance)
────────────────────────────────────────
83 resource "aws_instance" "edw_db_instance" {
..
113 ┌ metadata_options {
114 │ http_endpoint = "enabled"
115 │ http_put_response_hop_limit = 2
116 └ }
...
128 }
────────────────────────────────────────

HIGH: EBS block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2.tf:83-128
────────────────────────────────────────
83 ┌ resource "aws_instance" "edw_db_instance" {
84 │ ami = local.application_data.accounts[local.environment].edw_ec2_ami_id
85 │ availability_zone = "eu-west-2a"
86 │ instance_type = local.application_data.accounts[local.environment].edw_ec2_instance_type
87 │ iam_instance_profile = aws_iam_instance_profile.edw_ec2_instance_profile.id
88 │ key_name = aws_key_pair.edw_ec2_key.key_name
89 │ subnet_id = data.aws_subnet.private_subnets_a.id
90 │ vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
91 └ user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
..
────────────────────────────────────────

HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2.tf:83-128
────────────────────────────────────────
83 ┌ resource "aws_instance" "edw_db_instance" {
84 │ ami = local.application_data.accounts[local.environment].edw_ec2_ami_id
85 │ availability_zone = "eu-west-2a"
86 │ instance_type = local.application_data.accounts[local.environment].edw_ec2_instance_type
87 │ iam_instance_profile = aws_iam_instance_profile.edw_ec2_instance_profile.id
88 │ key_name = aws_key_pair.edw_ec2_key.key_name
89 │ subnet_id = data.aws_subnet.private_subnets_a.id
90 │ vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
91 └ user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
..
────────────────────────────────────────

github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)

Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)

secret-rotate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.

Without this, any resource from principal will be granted permission – even if that resource is from another account.

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
secret-rotate.tf:189-193
────────────────────────────────────────
189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
190 │ action = "lambda:InvokeFunction"
191 │ function_name = aws_lambda_function.rotate_secret_function.function_name
192 │ principal = "secretsmanager.amazonaws.com"
193 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/edw

*****************************

Running Checkov in terraform/environments/edw
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-15 15:07:12,095 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-07-15 15:07:12,095 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 125, Failed checks: 62, Skipped checks: 0

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ssh_key
	File: /backup_lambda.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		7  | resource "aws_ssm_parameter" "ssh_key" {
		8  |   name        = "EC2_SSH_KEY" # This needs to match the name supplied to the dbconnect.js script
		9  |   description = "SSH Key used by Lambda function to access database instance for backup. Value is updated manually."
		10 |   type        = "SecureString"
		11 |   value       = "Placeholder"
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { Name = "EC2_SSH_KEY" }
		16 |   )
		17 |   lifecycle {
		18 |     ignore_changes = [
		19 |       value,
		20 |     ]
		21 |   }
		22 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /backup_lambda.tf:50-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		50 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		51 |   name = "${local.application_name}-${local.environment}-backup-lambda-policy"
		52 |   tags = merge(
		53 |     local.tags,
		54 |     { Name = "${local.application_name}-${local.environment}-backup-lambda-policy" }
		55 |   )
		56 |   policy = <<EOF
		57 | {
		58 |     "Version" : "2012-10-17",
		59 |     "Statement": [
		60 |         {
		61 |             "Action": [
		62 |                 "lambda:InvokeFunction",
		63 |                 "ec2:CreateNetworkInterface",
		64 |                 "ec2:DescribeNetworkInterfaces",
		65 |                 "ec2:DeleteNetworkInterface",
		66 |                 "ec2:DescribeSecurityGroups",
		67 |                 "ec2:CreateSnapshot",
		68 |                 "ec2:DeleteSnapshot",
		69 |                 "ec2:DescribeSubnets",
		70 |                 "ec2:DescribeVpcs",
		71 |                 "ec2:DescribeInstances",
		72 |                 "ec2:DescribeAddresses",
		73 |                 "ec2:DescribeInstanceStatus",
		74 |                 "ec2:DescribeVolumes",
		75 |                 "ec2:DescribeSnapshots",
		76 |                 "ec2:CreateTags",
		77 |                 "s3:*",
		78 |                 "ssm:*",
		79 |                 "ses:*",
		80 |                 "logs:*",
		81 |                 "cloudwatch:*",
		82 |                 "sts:AssumeRole"
		83 |             ],
		84 |             "Resource": "*",
		85 |             "Effect": "Allow"
		86 |         }
		87 |     ]
		88 | }
		89 | EOF
		90 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.create_db_snapshots
	File: /backup_lambda.tf:215-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		215 | resource "aws_lambda_function" "create_db_snapshots" {
		216 | 
		217 |   description      = "Snapshot volumes for Oracle EC2"
		218 |   function_name    = "snapshotDBFunction"
		219 |   role             = aws_iam_role.backup_lambda.arn
		220 |   handler          = "snapshot/dbsnapshot.handler"
		221 |   source_code_hash = data.archive_file.create_db_snapshots.output_base64sha256
		222 |   runtime          = "nodejs18.x"
		223 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		224 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		225 |   s3_key           = "${local.create_db_snapshots_script_prefix}.zip"
		226 |   memory_size      = 128
		227 |   timeout          = 900
		228 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		229 | 
		230 |   environment {
		231 |     variables = {
		232 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		233 |     }
		234 |   }
		235 |   vpc_config {
		236 |     security_group_ids = [aws_security_group.backup_lambda.id]
		237 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		238 |   }
		239 |   tags = merge(
		240 |     local.tags,
		241 |     { Name = "${local.application_name}-${local.environment}-lambda-create-snapshot" }
		242 |   )
		243 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /backup_lambda.tf:245-267
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		245 | resource "aws_lambda_function" "delete_db_snapshots" {
		246 | 
		247 |   description      = "Clean up script to delete old unused snapshots"
		248 |   function_name    = "deletesnapshotFunction"
		249 |   role             = aws_iam_role.backup_lambda.arn
		250 |   handler          = "deletesnapshots.lambda_handler"
		251 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		252 |   runtime          = "python3.8"
		253 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		254 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		255 |   memory_size      = 3000
		256 |   timeout          = 900
		257 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		258 | 
		259 |   vpc_config {
		260 |     security_group_ids = [aws_security_group.backup_lambda.id]
		261 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		262 |   }
		263 |   tags = merge(
		264 |     local.tags,
		265 |     { Name = "${local.application_name}-${local.environment}-lambda-delete-snapshots" }
		266 |   )
		267 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.connect_db
	File: /backup_lambda.tf:269-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		269 | resource "aws_lambda_function" "connect_db" {
		270 | 
		271 |   description      = "SSH to the DB EC2"
		272 |   function_name    = "connectDBFunction"
		273 |   role             = aws_iam_role.backup_lambda.arn
		274 |   handler          = "ssh/dbconnect.handler"
		275 |   source_code_hash = data.archive_file.connect_db.output_base64sha256
		276 |   runtime          = "nodejs18.x"
		277 |   layers           = [aws_lambda_layer_version.backup_lambda.arn]
		278 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		279 |   s3_key           = "${local.db_connect_script_prefix}.zip"
		280 |   memory_size      = 128
		281 |   timeout          = 900
		282 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		283 | 
		284 | 
		285 | 
		286 |   environment {
		287 |     variables = {
		288 |       LD_LIBRARY_PATH = "/opt/nodejs/node_modules/lib"
		289 | 
		290 |     }
		291 |   }
		292 |   vpc_config {
		293 |     security_group_ids = [aws_security_group.backup_lambda.id]
		294 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		295 |   }
		296 |   tags = merge(
		297 |     local.tags,
		298 |     { Name = "${local.application_name}-${local.environment}-lambda-connect-db" }
		299 |   )
		300 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 | 
		13 |   # s3 - used for logs and user ssh public keys
		14 |   bucket_name = "bastion-${local.application_name}"
		15 | 
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 | 
		19 |   # logs
		20 |   log_auto_clean       = "Enabled"
		21 |   log_standard_ia_days = 30  # days before moving to IA storage
		22 |   log_glacier_days     = 60  # days before moving to Glacier
		23 |   log_expiry_days      = 180 # days before log expiration
		24 | 
		25 |   # bastion
		26 |   allow_ssh_commands = false
		27 |   app_name           = var.networking[0].application
		28 |   business_unit      = local.vpc_name
		29 |   subnet_set         = local.subnet_set
		30 |   environment        = local.environment
		31 |   region             = "eu-west-2"
		32 | 
		33 |   # Tags
		34 |   tags_common = local.tags
		35 |   tags_prefix = terraform.workspace
		36 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EC2LogGoup
	File: /cw.tf:5-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		5 | resource "aws_cloudwatch_log_group" "EC2LogGoup" {
		6 |   name              = "${local.application_name}-EC2"
		7 |   retention_in_days = 180
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCfnInit
	File: /cw.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		12 | resource "aws_cloudwatch_log_group" "EDWLogGroupCfnInit" {
		13 |   name              = "${local.application_name}-CfnInit"
		14 |   retention_in_days = 180
		15 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupOracleAlerts
	File: /cw.tf:17-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		17 | resource "aws_cloudwatch_log_group" "EDWLogGroupOracleAlerts" {
		18 |   name              = "${local.application_name}-OracleAlerts"
		19 |   retention_in_days = 180
		20 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRman
	File: /cw.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		22 | resource "aws_cloudwatch_log_group" "EDWLogGroupRman" {
		23 |   name              = "${local.application_name}-RMan"
		24 |   retention_in_days = 180
		25 | 
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupRmanArch
	File: /cw.tf:28-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "EDWLogGroupRmanArch" {
		29 |   name              = "${local.application_name}-RManArch"
		30 |   retention_in_days = 180
		31 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupTBSFreespace
	File: /cw.tf:33-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		33 | resource "aws_cloudwatch_log_group" "EDWLogGroupTBSFreespace" {
		34 |   name              = "${local.application_name}-TBSFreespace"
		35 |   retention_in_days = 180
		36 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupPMONstatus
	File: /cw.tf:38-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		38 | resource "aws_cloudwatch_log_group" "EDWLogGroupPMONstatus" {
		39 |   name              = "${local.application_name}-PMONstatus"
		40 |   retention_in_days = 180
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.EDWLogGroupCDCstatus
	File: /cw.tf:43-46
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		43 | resource "aws_cloudwatch_log_group" "EDWLogGroupCDCstatus" {
		44 |   name              = "${local.application_name}-CDCstatus"
		45 |   retention_in_days = 180
		46 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.edw_alerting_topic
	File: /cw.tf:558-566
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		558 | resource "aws_sns_topic" "edw_alerting_topic" {
		559 |   name = "${local.application_name}-SNS-topic"
		560 |   tags = merge(
		561 |     local.tags,
		562 |     {
		563 |       Name = "${local.application_name}-edw-alerting-topic"
		564 |     }
		565 |   )
		566 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: edw_pagerduty_core_alerts
	File: /cw.tf:588-595
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		588 | module "edw_pagerduty_core_alerts" {
		589 |   depends_on = [
		590 |     aws_sns_topic.edw_alerting_topic
		591 |   ]
		592 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		593 |   sns_topics                = [aws_sns_topic.edw_alerting_topic.name]
		594 |   pagerduty_integration_key = local.edw_pagerduty_integration_keys[local.edw_pagerduty_integration_key_name]
		595 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.edw_db_instance
	File: /ec2.tf:83-128
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		83  | resource "aws_instance" "edw_db_instance" {
		84  |   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
		85  |   availability_zone      = "eu-west-2a"
		86  |   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
		87  |   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
		88  |   key_name               = aws_key_pair.edw_ec2_key.key_name
		89  |   subnet_id              = data.aws_subnet.private_subnets_a.id
		90  |   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
		91  |   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
		92  |     edw_app_name         = local.application_data.accounts[local.environment].edw_AppName
		93  |     edw_dns_extension    = local.application_data.accounts[local.environment].edw_dns_extension
		94  |     edw_environment      = local.application_data.accounts[local.environment].edw_environment
		95  |     edw_region           = local.application_data.accounts[local.environment].edw_region
		96  |     edw_ec2_role         = aws_iam_role.edw_ec2_role.name
		97  |     edw_s3_backup_bucket = local.application_data.accounts[local.environment].edw_s3_backup_bucket
		98  |     edw_cis_ip           = local.application_data.accounts[local.environment].edw_cis_ip
		99  |     edw_eric_ip          = local.application_data.accounts[local.environment].edw_eric_ip
		100 |     edw_ccms_ip          = local.application_data.accounts[local.environment].edw_ccms_ip
		101 |   }))
		102 | 
		103 | 
		104 |   ebs_block_device {
		105 |     device_name = "/dev/sda1"
		106 |     volume_size = local.application_data.accounts[local.environment].edw_root_volume_size
		107 |     tags = merge(
		108 |       local.tags,
		109 |       { "Name" = "${local.application_name}-root-volume" },
		110 |     )
		111 |   }
		112 | 
		113 |   metadata_options {
		114 |     http_endpoint               = "enabled"
		115 |     http_put_response_hop_limit = 2
		116 |   }
		117 | 
		118 |   lifecycle {
		119 |     create_before_destroy = true
		120 |   }
		121 | 
		122 |   tags = merge(
		123 |     local.tags,
		124 |     {
		125 |       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"
		126 |     }
		127 |   )
		128 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db-master-password
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "db-master-password" {
		14 |   name        = "${local.application_name}/app/db-master-password-"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password"
		21 |     }
		22 |   )
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.edw_db_ec2_root_secret
	File: /secret-rotate.tf:43-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		43 | resource "aws_secretsmanager_secret" "edw_db_ec2_root_secret" {
		44 |   name        = "${local.application_name}/app/db-EC2-root-password-${random_string.edw-root-secret_id_suffix.result}"
		45 |   description = "EDW DB EC2 Root Password"
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     {
		50 |       Name = "${local.application_name}-ec2-system-root-password"
		51 |     }
		52 |   )
		53 | }

Check: CKV_AWS_304: "Ensure Secrets Manager secrets should be rotated within 90 days"
	FAILED for resource: aws_secretsmanager_secret_rotation.edw_db_root_rotate
	File: /secret-rotate.tf:60-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-304

		60 | resource "aws_secretsmanager_secret_rotation" "edw_db_root_rotate" {
		61 |   secret_id           = aws_secretsmanager_secret.edw_db_ec2_root_secret.id
		62 |   rotation_lambda_arn = aws_lambda_function.rotate_secret_function.arn
		63 |   rotate_immediately  = true
		64 | 
		65 |   rotation_rules {
		66 |     automatically_after_days = local.application_data.accounts[local.environment].secret_rotation_frequency_days
		67 |   }
		68 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secret_function
	File: /secret-rotate.tf:85-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		85  | resource "aws_lambda_function" "rotate_secret_function" {
		86  |   function_name = local.application_data.accounts[local.environment].lambda_function_name
		87  |   description   = local.application_data.accounts[local.environment].lambda_function_description
		88  |   role          = aws_iam_role.edw_lambda_function_execution_role.arn
		89  |   handler       = local.application_data.accounts[local.environment].lambda_function_handler
		90  |   runtime       = local.application_data.accounts[local.environment].lambda_function_runtime
		91  |   timeout       = local.application_data.accounts[local.environment].lambda_function_timeout
		92  | 
		93  |   filename         = data.archive_file.lambda_inline_code.output_path
		94  |   source_code_hash = data.archive_file.lambda_inline_code.output_base64sha256 # hash ensures that changes to inline code are always picked up by a plan/apply
		95  | 
		96  |   environment {
		97  |     variables = {
		98  |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		99  |     }
		100 |   }
		101 | 
		102 |   tags = merge(
		103 |     local.tags,
		104 |     {
		105 |       Name = "${local.application_name}-edw-secret-rotate-function"
		106 |     }
		107 |   )
		108 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.edw_lambda_function_execution_role_policy
	File: /secret-rotate.tf:127-181
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.rotate_secret_function_permission
	File: /secret-rotate.tf:189-193
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		189 | resource "aws_lambda_permission" "rotate_secret_function_permission" {
		190 |   action        = "lambda:InvokeFunction"
		191 |   function_name = aws_lambda_function.rotate_secret_function.function_name
		192 |   principal     = "secretsmanager.amazonaws.com"
		193 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /backup_lambda.tf:124-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		124 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		125 |   bucket = aws_s3_bucket.backup_lambda.id
		126 |   rule {
		127 |     object_ownership = "ObjectWriter"
		128 |   }
		129 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db-master-password
	File: /secret-rotate.tf:13-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		13 | resource "aws_secretsmanager_secret" "db-master-password" {
		14 |   name        = "${local.application_name}/app/db-master-password-"
		15 |   description = "EDW DB EC2 Root Password"
		16 | 
		17 |   tags = merge(
		18 |     local.tags,
		19 |     {
		20 |       Name = "${local.application_name}-db-master-password"
		21 |     }
		22 |   )
		23 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /backup_lambda.tf:101-107
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		101 | resource "aws_s3_bucket" "backup_lambda" {
		102 |   bucket = "${local.application_name}-${local.environment}-backup-lambda"
		103 |   tags = merge(
		104 |     local.tags,
		105 |     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
		106 |   )
		107 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/edw

*****************************

Running tflint in terraform/environments/edw
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/backup_lambda.tf line 119:
 119: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/backup_lambda.tf line 173:
 173: data "archive_file" "connect_db" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/edw/ec2.tf line 125:
 125:       Name = "${local.application_data.accounts[local.environment].database_ec2_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/edw/secret-rotate.tf line 38:
  38: resource "random_string" "edw-initial_root_secret_value" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/edw/secret-rotate.tf line 81:
  81:     content  = file("${local.application_data.accounts[local.environment].lambda_function_inline_code_filename}")

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/edw

*****************************

Running Trivy in terraform/environments/edw
2024-07-15T15:07:03Z	INFO	Need to update DB
2024-07-15T15:07:03Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-15T15:07:05Z	INFO	Vulnerability scanning is enabled
2024-07-15T15:07:05Z	INFO	Misconfiguration scanning is enabled
2024-07-15T15:07:05Z	INFO	Need to update the built-in policies
2024-07-15T15:07:05Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-15T15:07:06Z	INFO	Secret scanning is enabled
2024-07-15T15:07:06Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-15T15:07:06Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-15T15:07:09Z	INFO	Number of language-specific files	num=0
2024-07-15T15:07:09Z	INFO	Detected config files	num=7

backup_lambda.tf (terraform)
============================
Tests: 54 (SUCCESSES: 7, FAILURES: 3, EXCEPTIONS: 44)
Failures: 3 (HIGH: 2, CRITICAL: 1)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 backup_lambda.tf:194
   via backup_lambda.tf:189-195 (egress)
    via backup_lambda.tf:184-201 (aws_security_group.backup_lambda)
────────────────────────────────────────
 184   resource "aws_security_group" "backup_lambda" {
 ...   
 194 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 201   }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 backup_lambda.tf:101-107
────────────────────────────────────────
 101resource "aws_s3_bucket" "backup_lambda" {
 102 │   bucket = "${local.application_name}-${local.environment}-backup-lambda"
 103 │   tags = merge(
 104 │     local.tags,
 105 │     { Name = "${local.application_name}-${local.environment}-backup-lambda" }
 106 │   )
 107 └ }
────────────────────────────────────────



cw.tf (terraform)
=================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 cw.tf:558-566
────────────────────────────────────────
 558resource "aws_sns_topic" "edw_alerting_topic" {
 559 │   name = "${local.application_name}-SNS-topic"
 560 │   tags = merge(
 561 │     local.tags,
 562 │     {
 563 │       Name = "${local.application_name}-edw-alerting-topic"
 564 │     }
 565 │   )
 566 └ }
────────────────────────────────────────



ec2.tf (terraform)
==================
Tests: 16 (SUCCESSES: 13, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 3, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:113-116
   via ec2.tf:83-128 (aws_instance.edw_db_instance)
────────────────────────────────────────
  83   resource "aws_instance" "edw_db_instance" {
  ..   
 113 ┌   metadata_options {
 114 │     http_endpoint               = "enabled"
 115 │     http_put_response_hop_limit = 2
 116 └   }
 ...   
 128   }
────────────────────────────────────────


HIGH: EBS block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2.tf:83-128
────────────────────────────────────────
  83resource "aws_instance" "edw_db_instance" {
  84 │   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
  85 │   availability_zone      = "eu-west-2a"
  86 │   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
  87 │   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
  88 │   key_name               = aws_key_pair.edw_ec2_key.key_name
  89 │   subnet_id              = data.aws_subnet.private_subnets_a.id
  90 │   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
  91 └   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
  ..   
────────────────────────────────────────


HIGH: Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2.tf:83-128
────────────────────────────────────────
  83 ┌ resource "aws_instance" "edw_db_instance" {
  84 │   ami                    = local.application_data.accounts[local.environment].edw_ec2_ami_id
  85 │   availability_zone      = "eu-west-2a"
  86 │   instance_type          = local.application_data.accounts[local.environment].edw_ec2_instance_type
  87 │   iam_instance_profile   = aws_iam_instance_profile.edw_ec2_instance_profile.id
  88 │   key_name               = aws_key_pair.edw_ec2_key.key_name
  89 │   subnet_id              = data.aws_subnet.private_subnets_a.id
  90 │   vpc_security_group_ids = [aws_security_group.edw_db_security_group.id]
  91 └   user_data = base64encode(templatefile("edw-ec2-user-data.sh", {
  ..   
────────────────────────────────────────



github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/main.tf (terraform)
==========================================================================================================
Tests: 16 (SUCCESSES: 5, FAILURES: 0, EXCEPTIONS: 11)
Failures: 0 (HIGH: 0, CRITICAL: 0)


secret-rotate.tf (terraform)
============================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. 

Without this, any resource from principal will be granted permission – even if that resource is from another account. 

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 secret-rotate.tf:189-193
────────────────────────────────────────
 189 ┌ resource "aws_lambda_permission" "rotate_secret_function_permission" {
 190 │   action        = "lambda:InvokeFunction"
 191 │   function_name = aws_lambda_function.rotate_secret_function.function_name
 192 │   principal     = "secretsmanager.amazonaws.com"
 193 └ }
────────────────────────────────────────


trivy_exitcode=1

@ffteva-moj ffteva-moj merged commit 7256bf4 into main Jul 15, 2024
12 of 16 checks passed
@ffteva-moj ffteva-moj deleted the LAWS-3953 branch July 15, 2024 20:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnasr-moj mnasr-moj mnasr-moj approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ffteva-moj @mnasr-moj