Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DSOS-2915: add new globalprotect prisma IPs #7459

Merged
merged 1 commit into from
Aug 15, 2024
Merged

DSOS-2915: add new globalprotect prisma IPs #7459

merged 1 commit into from
Aug 15, 2024

Conversation

drobinson-moj
Copy link
Contributor

Add new globalprotect prisma public IPs for allow listing

@drobinson-moj drobinson-moj requested review from a team as code owners August 15, 2024 07:29
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Aug 15, 2024
@drobinson-moj drobinson-moj temporarily deployed to hmpps-domain-services-development August 15, 2024 07:32 — with GitHub Actions Inactive
@drobinson-moj drobinson-moj temporarily deployed to hmpps-domain-services-test August 15, 2024 07:32 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud
terraform/modules/ip_addresses

Running Trivy in terraform/environments/delius-nextcloud/modules/components/nextcloud
2024-08-15T07:33:04Z INFO [db] Need to update DB
2024-08-15T07:33:04Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-15T07:33:06Z INFO [vuln] Vulnerability scanning is enabled
2024-08-15T07:33:06Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-15T07:33:06Z INFO Need to update the built-in policies
2024-08-15T07:33:06Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-15T07:33:06Z INFO [secret] Secret scanning is enabled
2024-08-15T07:33:06Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-15T07:33:06Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-15T07:33:10Z INFO Number of language-specific files num=0
2024-08-15T07:33:10Z INFO Detected config files num=17

../../../../delius-core/modules/helpers/delius_microservice/sg.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
../../../../delius-core/modules/helpers/delius_microservice/sg.tf:47
via ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
via ecs_service.tf:1-139 (module.nextcloud_service)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

alb.tf (terraform)

Tests: 5 (SUCCESSES: 2, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 2, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
alb.tf:14
via alb.tf:10-21 (aws_alb_listener.nextcloud_https)
────────────────────────────────────────
10 resource "aws_alb_listener" "nextcloud_https" {
..
14 [ ssl_policy = "ELBSecurityPolicy-2016-08"
..
21 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:1-8
────────────────────────────────────────
1 ┌ resource "aws_alb" "nextcloud" {
2 │ name = "nextcloud"
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.nextcloud_alb_sg.id]
6 │ subnets = var.account_config.public_subnet_ids
7 │ tags = var.tags
8 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:3
via alb.tf:1-8 (aws_alb.nextcloud)
────────────────────────────────────────
1 resource "aws_alb" "nextcloud" {
2 name = "nextcloud"
3 [ internal = false
4 load_balancer_type = "application"
5 security_groups = [aws_security_group.nextcloud_alb_sg.id]
6 subnets = var.account_config.public_subnet_ids
7 tags = var.tags
8 }
────────────────────────────────────────

pagerduty.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
pagerduty.tf:7-9
────────────────────────────────────────
7 ┌ resource "aws_sns_topic" "nextcloud_alarms" {
8 │ name = "nextcloud-alarms-${var.env_name}"
9 └ }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/modules/ip_addresses
2024-08-15T07:33:10Z INFO [vuln] Vulnerability scanning is enabled
2024-08-15T07:33:10Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-15T07:33:10Z INFO [secret] Secret scanning is enabled
2024-08-15T07:33:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-15T07:33:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-15T07:33:11Z INFO Number of language-specific files num=0
2024-08-15T07:33:11Z INFO Detected config files num=1
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud
terraform/modules/ip_addresses

*****************************

Running Checkov in terraform/environments/delius-nextcloud/modules/components/nextcloud
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-15 07:33:13,860 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-08-15 07:33:13,860 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 359, Failed checks: 44, Skipped checks: 4

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.nextcloud_service.aws_cloudwatch_log_group.ecs
	File: /../../../../delius-core/modules/helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.nextcloud_service.aws_cloudwatch_log_group.ecs
	File: /../../../../delius-core/modules/helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.nextcloud_service.container_definition
	File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:1-25
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.nextcloud_service.ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:35-72
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_134: "Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on"
	FAILED for resource: module.nextcloud_service.aws_elasticache_cluster.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/elasticache.tf:8-23
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-amazon-elasticache-redis-clusters-have-automatic-backup-turned-on

		8  | resource "aws_elasticache_cluster" "this" {
		9  |   count                      = var.create_elasticache ? 1 : 0
		10 |   cluster_id                 = "${var.name}-${var.env_name}"
		11 |   engine                     = var.elasticache_engine
		12 |   node_type                  = var.elasticache_node_type
		13 |   num_cache_nodes            = var.elasticache_num_cache_nodes
		14 |   parameter_group_name       = var.elasticache_parameter_group_name
		15 |   engine_version             = var.elasticache_engine_version
		16 |   port                       = var.elasticache_port
		17 |   subnet_group_name          = aws_elasticache_subnet_group.this[0].name
		18 |   apply_immediately          = var.elasticache_apply_immediately
		19 |   auto_minor_version_upgrade = true
		20 |   final_snapshot_identifier  = var.elasticache_engine == "redis" ? "final-redis-${var.name}-${var.env_name}" : null
		21 |   maintenance_window         = var.maintenance_window
		22 |   security_group_ids         = [aws_security_group.elasticache[0].id]
		23 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:110-114
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:116-123
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:51-59
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:61-69
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.nextcloud_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../../../../delius-core/modules/helpers/ecs_policies/main.tf:104-122
	Calling File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.nextcloud_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../../../../delius-core/modules/helpers/ecs_policies/main.tf:104-122
	Calling File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["html"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["html"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.cluster
	File: /ecs_cluster.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_security_group" "cluster" {
		9  |   name   = "ecs-cluster-nextcloud-${var.env_name}"
		10 |   vpc_id = var.account_info.vpc_id
		11 |   lifecycle {
		12 |     create_before_destroy = true
		13 |   }
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs_cluster.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.2.1"
		3 |   name                      = "nextcloud-${var.env_name}-cluster"
		4 |   enable_container_insights = "enabled"
		5 |   tags                      = var.tags
		6 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.nextcloud_admin_password
	File: /ecs_service.tf:141-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		141 | resource "aws_secretsmanager_secret" "nextcloud_admin_password" {
		142 |   name = "nextcloud-admin-password"
		143 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.nextcloud_alarms
	File: /pagerduty.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		7 | resource "aws_sns_topic" "nextcloud_alarms" {
		8 |   name = "nextcloud-alarms-${var.env_name}"
		9 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.nextcloud_secret
	File: /s3.tf:63-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		63 | resource "aws_ssm_parameter" "nextcloud_secret" {
		64 |   name  = "/${var.env_name}/nextcloud/secret"
		65 |   type  = "SecureString"
		66 |   value = "replace_me"
		67 |   lifecycle {
		68 |     ignore_changes = [
		69 |       value
		70 |     ]
		71 |   }
		72 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_config
	File: /s3.tf:1-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["themes"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["themes"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["custom_apps"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["custom_apps"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["config"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["config"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["data"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["data"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_alb_listener.nextcloud_https
	File: /alb.tf:10-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		10 | resource "aws_alb_listener" "nextcloud_https" {
		11 |   load_balancer_arn = aws_alb.nextcloud.arn
		12 |   port              = "443"
		13 |   protocol          = "HTTPS"
		14 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		15 |   certificate_arn   = aws_acm_certificate.nextcloud_external.arn
		16 | 
		17 |   default_action {
		18 |     type             = "forward"
		19 |     target_group_arn = module.nextcloud_service.target_group_arn
		20 |   }
		21 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.nextcloud_admin_password
	File: /ecs_service.tf:141-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		141 | resource "aws_secretsmanager_secret" "nextcloud_admin_password" {
		142 |   name = "nextcloud-admin-password"
		143 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.nextcloud_service.aws_security_group.ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster
	File: /ecs_cluster.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		8  | resource "aws_security_group" "cluster" {
		9  |   name   = "ecs-cluster-nextcloud-${var.env_name}"
		10 |   vpc_id = var.account_info.vpc_id
		11 |   lifecycle {
		12 |     create_before_destroy = true
		13 |   }
		14 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/ip_addresses
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud
terraform/modules/ip_addresses

*****************************

Running tflint in terraform/environments/delius-nextcloud/modules/components/nextcloud
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-nextcloud/modules/components/nextcloud/ecs_service.tf line 150:
 150: resource "random_password" "nextcloud_admin_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/modules/ip_addresses
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud
terraform/modules/ip_addresses

*****************************

Running Trivy in terraform/environments/delius-nextcloud/modules/components/nextcloud
2024-08-15T07:33:04Z	INFO	[db] Need to update DB
2024-08-15T07:33:04Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-15T07:33:06Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-15T07:33:06Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-15T07:33:06Z	INFO	Need to update the built-in policies
2024-08-15T07:33:06Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-15T07:33:06Z	INFO	[secret] Secret scanning is enabled
2024-08-15T07:33:06Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-15T07:33:06Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-15T07:33:10Z	INFO	Number of language-specific files	num=0
2024-08-15T07:33:10Z	INFO	Detected config files	num=17

../../../../delius-core/modules/helpers/delius_microservice/sg.tf (terraform)
=============================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:47
   via ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
    via ecs_service.tf:1-139 (module.nextcloud_service)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────



alb.tf (terraform)
==================
Tests: 5 (SUCCESSES: 2, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 2, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 alb.tf:14
   via alb.tf:10-21 (aws_alb_listener.nextcloud_https)
────────────────────────────────────────
  10   resource "aws_alb_listener" "nextcloud_https" {
  ..   
  14 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
  ..   
  21   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:1-8
────────────────────────────────────────
   1resource "aws_alb" "nextcloud" {
   2 │   name               = "nextcloud"
   3 │   internal           = false
   4 │   load_balancer_type = "application"
   5 │   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
   6 │   subnets            = var.account_config.public_subnet_ids
   7 │   tags               = var.tags
   8 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:3
   via alb.tf:1-8 (aws_alb.nextcloud)
────────────────────────────────────────
   1   resource "aws_alb" "nextcloud" {
   2     name               = "nextcloud"
   3 [   internal           = false
   4     load_balancer_type = "application"
   5     security_groups    = [aws_security_group.nextcloud_alb_sg.id]
   6     subnets            = var.account_config.public_subnet_ids
   7     tags               = var.tags
   8   }
────────────────────────────────────────



pagerduty.tf (terraform)
========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 pagerduty.tf:7-9
────────────────────────────────────────
   7resource "aws_sns_topic" "nextcloud_alarms" {
   8 │   name = "nextcloud-alarms-${var.env_name}"
   9 └ }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/modules/ip_addresses
2024-08-15T07:33:10Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-15T07:33:10Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-15T07:33:10Z	INFO	[secret] Secret scanning is enabled
2024-08-15T07:33:10Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-15T07:33:10Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-15T07:33:11Z	INFO	Number of language-specific files	num=0
2024-08-15T07:33:11Z	INFO	Detected config files	num=1
trivy_exitcode=1

@drobinson-moj drobinson-moj merged commit 5517532 into main Aug 15, 2024
33 of 35 checks passed
@drobinson-moj drobinson-moj deleted the DSOS-2915/add-globalprotect-prisma-ips branch August 15, 2024 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@georgepstaylor georgepstaylor georgepstaylor approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@drobinson-moj @georgepstaylor