Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🔧 Update delius-core alarms #7549

Merged
merged 8 commits into from
Aug 19, 2024

Conversation

georgepstaylor
Copy link
Member

@georgepstaylor georgepstaylor commented Aug 19, 2024

  • LDAP log error tuning
  • RDS - added freeable mem, enabled pagerduty

@georgepstaylor georgepstaylor requested review from a team as code owners August 19, 2024 14:32
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Aug 19, 2024
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T14:35:03Z INFO [db] Need to update DB
2024-08-19T14:35:03Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T14:35:05Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T14:35:05Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T14:35:05Z INFO Need to update the built-in policies
2024-08-19T14:35:05Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T14:35:05Z INFO [secret] Secret scanning is enabled
2024-08-19T14:35:05Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T14:35:05Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T14:35:06Z INFO Number of language-specific files num=0
2024-08-19T14:35:06Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 14:35:09,163 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 248, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/ldap/datasync.tf line 97:
  97:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T14:35:03Z	INFO	[db] Need to update DB
2024-08-19T14:35:03Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T14:35:05Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T14:35:05Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T14:35:05Z	INFO	Need to update the built-in policies
2024-08-19T14:35:05Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T14:35:05Z	INFO	[secret] Secret scanning is enabled
2024-08-19T14:35:05Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T14:35:05Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T14:35:06Z	INFO	Number of language-specific files	num=0
2024-08-19T14:35:06Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

@georgepstaylor georgepstaylor force-pushed the NIT-1426-delius-microservices-review branch from 07f2245 to d2b186a Compare August 19, 2024 14:57
@georgepstaylor georgepstaylor force-pushed the NIT-1426-delius-microservices-review branch from d2b186a to 8b06a20 Compare August 19, 2024 14:58
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T14:58:52Z INFO [db] Need to update DB
2024-08-19T14:58:52Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T14:58:54Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T14:58:54Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T14:58:54Z INFO Need to update the built-in policies
2024-08-19T14:58:54Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T14:58:55Z INFO [secret] Secret scanning is enabled
2024-08-19T14:58:55Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T14:58:55Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T14:58:56Z INFO Number of language-specific files num=0
2024-08-19T14:58:56Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 14:58:58,995 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/ldap/datasync.tf line 97:
  97:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T14:58:52Z	INFO	[db] Need to update DB
2024-08-19T14:58:52Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T14:58:54Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T14:58:54Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T14:58:54Z	INFO	Need to update the built-in policies
2024-08-19T14:58:54Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T14:58:55Z	INFO	[secret] Secret scanning is enabled
2024-08-19T14:58:55Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T14:58:55Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T14:58:56Z	INFO	Number of language-specific files	num=0
2024-08-19T14:58:56Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T14:59:36Z INFO [db] Need to update DB
2024-08-19T14:59:36Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T14:59:38Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T14:59:38Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T14:59:38Z INFO Need to update the built-in policies
2024-08-19T14:59:38Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T14:59:39Z INFO [secret] Secret scanning is enabled
2024-08-19T14:59:39Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T14:59:39Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T14:59:40Z INFO Number of language-specific files num=0
2024-08-19T14:59:40Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 14:59:43,602 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/ldap/datasync.tf line 97:
  97:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T14:59:36Z	INFO	[db] Need to update DB
2024-08-19T14:59:36Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T14:59:38Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T14:59:38Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T14:59:38Z	INFO	Need to update the built-in policies
2024-08-19T14:59:38Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T14:59:39Z	INFO	[secret] Secret scanning is enabled
2024-08-19T14:59:39Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T14:59:39Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T14:59:40Z	INFO	Number of language-specific files	num=0
2024-08-19T14:59:40Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T15:00:15Z INFO [db] Need to update DB
2024-08-19T15:00:15Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T15:00:17Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T15:00:17Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T15:00:17Z INFO Need to update the built-in policies
2024-08-19T15:00:17Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T15:00:17Z INFO [secret] Secret scanning is enabled
2024-08-19T15:00:17Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:00:17Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:00:18Z INFO Number of language-specific files num=0
2024-08-19T15:00:18Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 15:00:20,916 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/ldap/datasync.tf line 97:
  97:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T15:00:15Z	INFO	[db] Need to update DB
2024-08-19T15:00:15Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T15:00:17Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T15:00:17Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T15:00:17Z	INFO	Need to update the built-in policies
2024-08-19T15:00:17Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T15:00:17Z	INFO	[secret] Secret scanning is enabled
2024-08-19T15:00:17Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:00:17Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:00:18Z	INFO	Number of language-specific files	num=0
2024-08-19T15:00:18Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

@georgepstaylor georgepstaylor changed the title 🔧 Update metric filter pattern for log matching 🔧 Update LDAP alarm for log error alerts Aug 19, 2024
@georgepstaylor georgepstaylor changed the title 🔧 Update LDAP alarm for log error alerts 🔧 Update delius-core alarms Aug 19, 2024
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/helpers/delius_microservice


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T15:20:03Z INFO [db] Need to update DB
2024-08-19T15:20:03Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T15:20:05Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T15:20:05Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T15:20:05Z INFO Need to update the built-in policies
2024-08-19T15:20:05Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T15:20:05Z INFO [secret] Secret scanning is enabled
2024-08-19T15:20:05Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:20:05Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:20:06Z INFO Number of language-specific files num=0
2024-08-19T15:20:06Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T15:20:07Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T15:20:07Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T15:20:07Z INFO [secret] Secret scanning is enabled
2024-08-19T15:20:07Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:20:07Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:20:08Z INFO Number of language-specific files num=0
2024-08-19T15:20:08Z INFO Detected config files num=5

sg.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:47
via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 15:20:10,765 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 15:20:14,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-08-19 15:20:14,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 15, Skipped checks: 2

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_service
	File: /ecs.tf:35-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.from_vpc
	File: /load_balancing.tf:110-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /load_balancing.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /sg.tf:51-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /sg.tf:61-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/ldap/datasync.tf line 97:
  97:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/helpers/delius_microservice/rds.tf line 1:
   1: resource "random_id" "rds_suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=4

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T15:20:03Z	INFO	[db] Need to update DB
2024-08-19T15:20:03Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T15:20:05Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T15:20:05Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T15:20:05Z	INFO	Need to update the built-in policies
2024-08-19T15:20:05Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T15:20:05Z	INFO	[secret] Secret scanning is enabled
2024-08-19T15:20:05Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:20:05Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:20:06Z	INFO	Number of language-specific files	num=0
2024-08-19T15:20:06Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T15:20:07Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T15:20:07Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T15:20:07Z	INFO	[secret] Secret scanning is enabled
2024-08-19T15:20:07Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:20:07Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:20:08Z	INFO	Number of language-specific files	num=0
2024-08-19T15:20:08Z	INFO	Detected config files	num=5

sg.tf (terraform)
=================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:47
   via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────


trivy_exitcode=2

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T15:35:40Z INFO [db] Need to update DB
2024-08-19T15:35:40Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T15:35:43Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T15:35:43Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T15:35:43Z INFO Need to update the built-in policies
2024-08-19T15:35:43Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T15:35:43Z INFO [secret] Secret scanning is enabled
2024-08-19T15:35:43Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:35:43Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:35:45Z INFO Number of language-specific files num=0
2024-08-19T15:35:45Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T15:35:45Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T15:35:45Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T15:35:45Z INFO [secret] Secret scanning is enabled
2024-08-19T15:35:45Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:35:45Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:35:47Z INFO Number of language-specific files num=0
2024-08-19T15:35:47Z INFO Detected config files num=2
trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T15:35:47Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T15:35:47Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T15:35:47Z INFO [secret] Secret scanning is enabled
2024-08-19T15:35:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:35:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:35:49Z INFO Number of language-specific files num=0
2024-08-19T15:35:49Z INFO Detected config files num=5

sg.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:47
via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 15:35:52,074 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 15:35:56,075 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 0, Failed checks: 2, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 15:36:00,147 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-08-19 15:36:00,147 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 15, Skipped checks: 2

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_service
	File: /ecs.tf:35-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.from_vpc
	File: /load_balancing.tf:110-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /load_balancing.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /sg.tf:51-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /sg.tf:61-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=3

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/ldap/datasync.tf line 97:
  97:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf line 24:
  24:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: `server_type_tag` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 36:
  36: variable "server_type_tag" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `database_tag_prefix` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 41:
  41: variable "database_tag_prefix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf line 1:
   1: resource "random_id" "suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=6

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T15:35:40Z	INFO	[db] Need to update DB
2024-08-19T15:35:40Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T15:35:43Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T15:35:43Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T15:35:43Z	INFO	Need to update the built-in policies
2024-08-19T15:35:43Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T15:35:43Z	INFO	[secret] Secret scanning is enabled
2024-08-19T15:35:43Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:35:43Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:35:45Z	INFO	Number of language-specific files	num=0
2024-08-19T15:35:45Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T15:35:45Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T15:35:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T15:35:45Z	INFO	[secret] Secret scanning is enabled
2024-08-19T15:35:45Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:35:45Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:35:47Z	INFO	Number of language-specific files	num=0
2024-08-19T15:35:47Z	INFO	Detected config files	num=2
trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T15:35:47Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T15:35:47Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T15:35:47Z	INFO	[secret] Secret scanning is enabled
2024-08-19T15:35:47Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T15:35:47Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T15:35:49Z	INFO	Number of language-specific files	num=0
2024-08-19T15:35:49Z	INFO	Detected config files	num=5

sg.tf (terraform)
=================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:47
   via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────


trivy_exitcode=2

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T16:03:14Z INFO [db] Need to update DB
2024-08-19T16:03:14Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T16:03:16Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:03:16Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:03:16Z INFO Need to update the built-in policies
2024-08-19T16:03:16Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T16:03:16Z INFO [secret] Secret scanning is enabled
2024-08-19T16:03:16Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:03:16Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:03:17Z INFO Number of language-specific files num=0
2024-08-19T16:03:17Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T16:03:17Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:03:17Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:03:17Z INFO [secret] Secret scanning is enabled
2024-08-19T16:03:17Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:03:17Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:03:18Z INFO Number of language-specific files num=0
2024-08-19T16:03:18Z INFO Detected config files num=2
trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T16:03:19Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:03:19Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:03:19Z INFO [secret] Secret scanning is enabled
2024-08-19T16:03:19Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:03:19Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:03:20Z INFO Number of language-specific files num=0
2024-08-19T16:03:20Z INFO Detected config files num=5

sg.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:47
via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:03:22,562 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:03:25,347 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 0, Failed checks: 2, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:03:28,082 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-08-19 16:03:28,083 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 15, Skipped checks: 2

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_service
	File: /ecs.tf:35-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.from_vpc
	File: /load_balancing.tf:110-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /load_balancing.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /sg.tf:51-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /sg.tf:61-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=3

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
Failed to load configurations; terraform/environments/delius-core/modules/components/ldap/locals.tf:26,84-86: Invalid escape sequence; The symbol "s" is not a valid escape sequence selector.:

�[31mError�[0m: Invalid escape sequence

  on terraform/environments/delius-core/modules/components/ldap/locals.tf line 26, in locals:
  26:   formatted_error_codes = [for error_code in local.error_codes : "err=${error_code}�[1;4m\s�[0m"]

The symbol "s" is not a valid escape sequence selector.

tflint_exitcode=1

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf line 24:
  24:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: `server_type_tag` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 36:
  36: variable "server_type_tag" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `database_tag_prefix` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 41:
  41: variable "database_tag_prefix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=3

*****************************

Running tflint in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf line 1:
   1: resource "random_id" "suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=5

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T16:03:14Z	INFO	[db] Need to update DB
2024-08-19T16:03:14Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T16:03:16Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:03:16Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:03:16Z	INFO	Need to update the built-in policies
2024-08-19T16:03:16Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T16:03:16Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:03:16Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:03:16Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:03:17Z	INFO	Number of language-specific files	num=0
2024-08-19T16:03:17Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T16:03:17Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:03:17Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:03:17Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:03:17Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:03:17Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:03:18Z	INFO	Number of language-specific files	num=0
2024-08-19T16:03:18Z	INFO	Detected config files	num=2
trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T16:03:19Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:03:19Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:03:19Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:03:19Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:03:19Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:03:20Z	INFO	Number of language-specific files	num=0
2024-08-19T16:03:20Z	INFO	Detected config files	num=5

sg.tf (terraform)
=================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:47
   via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────


trivy_exitcode=2

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T16:08:51Z INFO [db] Need to update DB
2024-08-19T16:08:51Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T16:08:53Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:08:53Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:08:53Z INFO Need to update the built-in policies
2024-08-19T16:08:53Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T16:08:53Z INFO [secret] Secret scanning is enabled
2024-08-19T16:08:53Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:08:53Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:08:54Z INFO Number of language-specific files num=0
2024-08-19T16:08:54Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T16:08:55Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:08:55Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:08:55Z INFO [secret] Secret scanning is enabled
2024-08-19T16:08:55Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:08:55Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:08:56Z INFO Number of language-specific files num=0
2024-08-19T16:08:56Z INFO Detected config files num=2
trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T16:08:56Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:08:56Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:08:56Z INFO [secret] Secret scanning is enabled
2024-08-19T16:08:56Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:08:56Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:08:57Z INFO Number of language-specific files num=0
2024-08-19T16:08:57Z INFO Detected config files num=5

sg.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:47
via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:08:59,917 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:09:02,838 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 0, Failed checks: 2, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:09:05,667 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-08-19 16:09:05,667 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 15, Skipped checks: 2

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_service
	File: /ecs.tf:35-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.from_vpc
	File: /load_balancing.tf:110-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /load_balancing.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /sg.tf:51-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /sg.tf:61-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=3

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
Failed to load configurations; terraform/environments/delius-core/modules/components/ldap/locals.tf:26,84-86: Invalid escape sequence; The symbol "s" is not a valid escape sequence selector.:

�[31mError�[0m: Invalid escape sequence

  on terraform/environments/delius-core/modules/components/ldap/locals.tf line 26, in locals:
  26:   formatted_error_codes = [for error_code in local.error_codes : "err=${error_code}�[1;4m\s�[0m"]

The symbol "s" is not a valid escape sequence selector.

tflint_exitcode=1

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf line 24:
  24:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: `server_type_tag` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 36:
  36: variable "server_type_tag" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `database_tag_prefix` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 41:
  41: variable "database_tag_prefix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=3

*****************************

Running tflint in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf line 1:
   1: resource "random_id" "suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=5

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T16:08:51Z	INFO	[db] Need to update DB
2024-08-19T16:08:51Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T16:08:53Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:08:53Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:08:53Z	INFO	Need to update the built-in policies
2024-08-19T16:08:53Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T16:08:53Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:08:53Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:08:53Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:08:54Z	INFO	Number of language-specific files	num=0
2024-08-19T16:08:54Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T16:08:55Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:08:55Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:08:55Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:08:55Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:08:55Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:08:56Z	INFO	Number of language-specific files	num=0
2024-08-19T16:08:56Z	INFO	Detected config files	num=2
trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T16:08:56Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:08:56Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:08:56Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:08:56Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:08:56Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:08:57Z	INFO	Number of language-specific files	num=0
2024-08-19T16:08:57Z	INFO	Detected config files	num=5

sg.tf (terraform)
=================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:47
   via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────


trivy_exitcode=2

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T16:13:46Z INFO [db] Need to update DB
2024-08-19T16:13:46Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T16:13:48Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:13:48Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:13:48Z INFO Need to update the built-in policies
2024-08-19T16:13:48Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T16:13:48Z INFO [secret] Secret scanning is enabled
2024-08-19T16:13:48Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:13:48Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:13:49Z INFO Number of language-specific files num=0
2024-08-19T16:13:49Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T16:13:50Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:13:50Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:13:50Z INFO [secret] Secret scanning is enabled
2024-08-19T16:13:50Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:13:50Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:13:51Z INFO Number of language-specific files num=0
2024-08-19T16:13:51Z INFO Detected config files num=2
trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T16:13:51Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:13:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:13:51Z INFO [secret] Secret scanning is enabled
2024-08-19T16:13:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:13:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:13:52Z INFO Number of language-specific files num=0
2024-08-19T16:13:52Z INFO Detected config files num=5

sg.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:47
via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:13:54,985 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:13:57,997 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 0, Failed checks: 2, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:14:00,757 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-08-19 16:14:00,757 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 15, Skipped checks: 2

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_service
	File: /ecs.tf:35-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.from_vpc
	File: /load_balancing.tf:110-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /load_balancing.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /sg.tf:51-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /sg.tf:61-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=3

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/ldap/datasync.tf line 97:
  97:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf line 24:
  24:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: `server_type_tag` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 36:
  36: variable "server_type_tag" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `database_tag_prefix` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 41:
  41: variable "database_tag_prefix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/helpers/delius_microservice/rds.tf line 1:
   1: resource "random_id" "rds_suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=6

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T16:13:46Z	INFO	[db] Need to update DB
2024-08-19T16:13:46Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T16:13:48Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:13:48Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:13:48Z	INFO	Need to update the built-in policies
2024-08-19T16:13:48Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T16:13:48Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:13:48Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:13:48Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:13:49Z	INFO	Number of language-specific files	num=0
2024-08-19T16:13:49Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T16:13:50Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:13:50Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:13:50Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:13:50Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:13:50Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:13:51Z	INFO	Number of language-specific files	num=0
2024-08-19T16:13:51Z	INFO	Detected config files	num=2
trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T16:13:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:13:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:13:51Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:13:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:13:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:13:52Z	INFO	Number of language-specific files	num=0
2024-08-19T16:13:52Z	INFO	Detected config files	num=5

sg.tf (terraform)
=================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:47
   via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────


trivy_exitcode=2

andrewmooreio
andrewmooreio previously approved these changes Aug 19, 2024
@georgepstaylor georgepstaylor temporarily deployed to delius-core-development August 19, 2024 16:24 — with GitHub Actions Inactive
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice


Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T16:24:00Z INFO [db] Need to update DB
2024-08-19T16:24:00Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T16:24:02Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:24:02Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:24:02Z INFO Need to update the built-in policies
2024-08-19T16:24:02Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T16:24:03Z INFO [secret] Secret scanning is enabled
2024-08-19T16:24:03Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:24:03Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:24:04Z INFO Number of language-specific files num=0
2024-08-19T16:24:04Z INFO Detected config files num=10

sg.tf (terraform)

Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:17
via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T16:24:05Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:24:05Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:24:05Z INFO [secret] Secret scanning is enabled
2024-08-19T16:24:05Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:24:05Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:24:06Z INFO Number of language-specific files num=0
2024-08-19T16:24:06Z INFO Detected config files num=2
trivy_exitcode=1


Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T16:24:07Z INFO [vuln] Vulnerability scanning is enabled
2024-08-19T16:24:07Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-19T16:24:07Z INFO [secret] Secret scanning is enabled
2024-08-19T16:24:07Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:24:07Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:24:08Z INFO Number of language-specific files num=0
2024-08-19T16:24:08Z INFO Detected config files num=5

sg.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:47
via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:24:11,211 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 247, Failed checks: 32, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.ldap_backup_vault
	File: /backup.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.delius_core_backup_policy
	File: /backup.tf:69-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.efs_backup_policy
	File: /backup.tf:97-134
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_ecs
	File: /cloudwatch.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ldap_automation
	File: /cloudwatch.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ldap_data_refresh
	File: /datasync.tf:117-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.ldap_datasync_role_access
	File: /datasync.tf:49-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_migration
	File: /s3.tf:1-99
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /s3.tf:102-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_host
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_principal
	File: /secrets.tf:21-31
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /secrets.tf:37-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_bind_password
	File: /secrets.tf:53-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /secrets.tf:82-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.efs_ingress_ldap
	File: /sg.tf:65-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../../helpers/ecs_policies/main.tf:104-122
	Calling File: /ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.efs.aws_efs_access_point.ldap
	File: /../../helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nlb.aws_lb.this
	File: /../../helpers/nlb/main.tf:1-12
	Calling File: /nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ldap
	File: /sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.nlb.aws_lb_listener.ldaps
	File: /../../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:24:15,048 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 0, Failed checks: 2, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: instance
	File: /instance.tf:23-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-19 16:24:18,911 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-08-19 16:24:18,911 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 15, Skipped checks: 2

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_service
	File: /ecs.tf:35-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.from_vpc
	File: /load_balancing.tf:110-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /load_balancing.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /sg.tf:51-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /sg.tf:61-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=3

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running tflint in terraform/environments/delius-core/modules/components/ldap
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/components/ldap/datasync.tf line 97:
  97:         "${module.s3_bucket_ldap_data_refresh.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/delius-core/modules/components/oracle_db_instance
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf line 24:
  24:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_module_pinned_source.md

Warning: `server_type_tag` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 36:
  36: variable "server_type_tag" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `database_tag_prefix` variable has no type (terraform_typed_variables)

  on terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf line 41:
  41: variable "database_tag_prefix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf line 1:
   1: resource "random_id" "suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=6

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/components/ldap
terraform/environments/delius-core/modules/components/oracle_db_instance
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/ldap
2024-08-19T16:24:00Z	INFO	[db] Need to update DB
2024-08-19T16:24:00Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-19T16:24:02Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:24:02Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:24:02Z	INFO	Need to update the built-in policies
2024-08-19T16:24:02Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-19T16:24:03Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:24:03Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:24:03Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:24:04Z	INFO	Number of language-specific files	num=0
2024-08-19T16:24:04Z	INFO	Detected config files	num=10

sg.tf (terraform)
=================
Tests: 10 (SUCCESSES: 9, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:17
   via sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_instance
2024-08-19T16:24:05Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:24:05Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:24:05Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:24:05Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:24:05Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:24:06Z	INFO	Number of language-specific files	num=0
2024-08-19T16:24:06Z	INFO	Detected config files	num=2
trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-19T16:24:07Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-19T16:24:07Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-19T16:24:07Z	INFO	[secret] Secret scanning is enabled
2024-08-19T16:24:07Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T16:24:07Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T16:24:08Z	INFO	Number of language-specific files	num=0
2024-08-19T16:24:08Z	INFO	Detected config files	num=5

sg.tf (terraform)
=================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:47
   via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────


trivy_exitcode=2

@georgepstaylor georgepstaylor merged commit 554f673 into main Aug 19, 2024
12 of 15 checks passed
@georgepstaylor georgepstaylor deleted the NIT-1426-delius-microservices-review branch August 19, 2024 16:52
@georgepstaylor georgepstaylor restored the NIT-1426-delius-microservices-review branch August 20, 2024 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants