Bump terraform-aws-modules/eks/aws from 19.21.0 to 20.19.0 in /terraform/environments/data-platform-apps-and-tools

[dependabot]

Bumps terraform-aws-modules/eks/aws from 19.21.0 to 20.19.0.

Release notes

Sourced from terraform-aws-modules/eks/aws's releases.

v20.19.0

20.19.0 (2024-07-15)

Features

• Pass the primary_ipv6 argument to the AWS provider. (#3098) (e1bb8b6)

v20.18.0

20.18.0 (2024-07-15)

Features

• Support bootstrap_self_managed_addons (#3099) (af88e7d)

v20.17.2

20.17.2 (2024-07-05)

Bug Fixes

• Revert #3058 - fix: Invoke aws_iam_session_context data source only when required (#3092) (93ffdfc)

v20.17.1

20.17.1 (2024-07-05)

Bug Fixes

• Invoke aws_iam_session_context data source only when required (#3058) (f02df92)

v20.17.0

20.17.0 (2024-07-05)

Features

• Add support for ML capacity block reservations with EKS managed node group(s) (#3091) (ae3379e)

v20.16.0

20.16.0 (2024-07-02)

Features

• Add support for custom IAM role policy (#3087) (1604c6c)

v20.15.0

20.15.0 (2024-06-27)

... (truncated)

Changelog

Sourced from terraform-aws-modules/eks/aws's changelog.

20.19.0 (2024-07-15)

Features

• Pass the primary_ipv6 argument to the AWS provider. (#3098) (e1bb8b6)

20.18.0 (2024-07-15)

Features

• Support bootstrap_self_managed_addons (#3099) (af88e7d)

20.17.2 (2024-07-05)

Bug Fixes

• Revert #3058 - fix: Invoke aws_iam_session_context data source only when required (#3092) (93ffdfc)

20.17.1 (2024-07-05)

Bug Fixes

• Invoke aws_iam_session_context data source only when required (#3058) (f02df92)

20.17.0 (2024-07-05)

Features

• Add support for ML capacity block reservations with EKS managed node group(s) (#3091) (ae3379e)

20.16.0 (2024-07-02)

Features

• Add support for custom IAM role policy (#3087) (1604c6c)

20.15.0 (2024-06-27)

Features

• Deny HTTP on Karpenter SQS policy (#3080) (f6e071c)

20.14.0 (2024-06-13)

... (truncated)

Commits

• e32c29f chore(release): version 20.19.0 [skip ci]
• e1bb8b6 feat: Pass the primary_ipv6 argument to the AWS provider. (#3098)
• f56004d chore(release): version 20.18.0 [skip ci]
• af88e7d feat: Support bootstrap_self_managed_addons (#3099)
• d7aea4c chore(release): version 20.17.2 [skip ci]
• 93ffdfc fix: Revert #3058 - fix: Invoke aws_iam_session_context data source only when...
• 27d649a chore(release): version 20.17.1 [skip ci]
• f02df92 fix: Invoke aws_iam_session_context data source only when required (#3058)
• 76d6a64 chore(release): version 20.17.0 [skip ci]
• ae3379e feat: Add support for ML capacity block reservations with EKS managed node gr...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/data-platform-apps-and-tools

---

Running Trivy in terraform/environments/data-platform-apps-and-tools
2024-07-16T00:35:31Z INFO Need to update DB
2024-07-16T00:35:31Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-16T00:35:33Z INFO Vulnerability scanning is enabled
2024-07-16T00:35:33Z INFO Misconfiguration scanning is enabled
2024-07-16T00:35:33Z INFO Need to update the built-in policies
2024-07-16T00:35:33Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-16T00:35:33Z INFO Secret scanning is enabled
2024-07-16T00:35:33Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-16T00:35:33Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-16T00:35:34Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-07-16T00:35:41Z INFO Number of language-specific files num=1
2024-07-16T00:35:41Z INFO [pip] Detecting vulnerabilities...
2024-07-16T00:35:41Z INFO Detected config files num=23

data.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf (terraform)

Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125
via git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:123-128 (content)
via git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:120-129 (dynamic.metadata_options["0"])
via git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:21-193 (aws_instance.this[0])
via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)
────────────────────────────────────────
21 resource "aws_instance" "this" {
..
125 [ http_tokens = try(metadata_options.value.http_tokens, "optional")
...
193 }
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=e32c29f3b77a3a4c8a7fd3652762e587ae6d1879/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=2e417ad0ce830893127476436179ef483485ae84/vpc-flow-logs.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

powerbi-gateway-iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

powerbi-gateway-security-group.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:26
via powerbi-gateway-security-group.tf:22-27 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:19
via powerbi-gateway-security-group.tf:15-20 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:12
via powerbi-gateway-security-group.tf:8-13 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-16 00:35:44,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.19.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,050 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,051 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,051 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,051 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,051 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,051 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,051 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,051 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,052 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,052 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,052 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,052 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 2.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,052 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,052 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,053 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-07-16 00:35:44,053 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:2.2.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 169, Failed checks: 20, Skipped checks: 43

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/data-platform-apps-and-tools

*****************************

Running Trivy in terraform/environments/data-platform-apps-and-tools
2024-07-16T00:35:31Z	INFO	Need to update DB
2024-07-16T00:35:31Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-16T00:35:33Z	INFO	Vulnerability scanning is enabled
2024-07-16T00:35:33Z	INFO	Misconfiguration scanning is enabled
2024-07-16T00:35:33Z	INFO	Need to update the built-in policies
2024-07-16T00:35:33Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-16T00:35:33Z	INFO	Secret scanning is enabled
2024-07-16T00:35:33Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-16T00:35:33Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-16T00:35:34Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-07-16T00:35:41Z	INFO	Number of language-specific files	num=1
2024-07-16T00:35:41Z	INFO	[pip] Detecting vulnerabilities...
2024-07-16T00:35:41Z	INFO	Detected config files	num=23

data.tf (terraform)
===================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf (terraform)
========================================================================================================================================
Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:125
   via git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:123-128 (content)
    via git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:120-129 (dynamic.metadata_options["0"])
     via git::https:/github.com/terraform-aws-modules/terraform-aws-ec2-instance?ref=f3c6436589eba5c0bcac1cf1a81403ed4f3fcaf8/main.tf:21-193 (aws_instance.this[0])
      via powerbi-gateway-server.tf:14-59 (module.powerbi_gateway)
────────────────────────────────────────
  21   resource "aws_instance" "this" {
  ..   
 125 [       http_tokens                 = try(metadata_options.value.http_tokens, "optional")
 ...   
 193   }
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=e32c29f3b77a3a4c8a7fd3652762e587ae6d1879/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=2e417ad0ce830893127476436179ef483485ae84/vpc-flow-logs.tf (terraform)
========================================================================================================================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


powerbi-gateway-iam.tf (terraform)
==================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


powerbi-gateway-security-group.tf (terraform)
=============================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:26
   via powerbi-gateway-security-group.tf:22-27 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  26 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:19
   via powerbi-gateway-security-group.tf:15-20 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  19 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:12
   via powerbi-gateway-security-group.tf:8-13 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  12 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


trivy_exitcode=1

[dependabot]

Superseded by #7368.