Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Ensure ALB listener rule priorities are hard-coded to avoid conf… #7602

Merged

Conversation

andrewmooreio
Copy link
Contributor

…licts

@andrewmooreio andrewmooreio requested review from a team as code owners August 23, 2024 10:27
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Aug 23, 2024
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-core/modules/delius_environment


Running Trivy in terraform/environments/delius-core/modules/delius_environment
2024-08-23T10:30:10Z INFO [db] Need to update DB
2024-08-23T10:30:10Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-23T10:30:13Z INFO [vuln] Vulnerability scanning is enabled
2024-08-23T10:30:13Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-23T10:30:13Z INFO Need to update the built-in policies
2024-08-23T10:30:13Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-23T10:30:13Z INFO [secret] Secret scanning is enabled
2024-08-23T10:30:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T10:30:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T10:30:25Z INFO Number of language-specific files num=0
2024-08-23T10:30:25Z INFO Detected config files num=28

../components/ldap/sg.tf (terraform)

Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
../components/ldap/sg.tf:17
via ../components/ldap/sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
via ldap.tf:1-26 (module.ldap)
────────────────────────────────────────
11 resource "aws_security_group_rule" "allow_all_egress" {
12 description = "Allow all outbound traffic to any IPv4 address"
13 type = "egress"
14 from_port = 0
15 to_port = 0
16 protocol = "-1"
17 [ cidr_blocks = ["0.0.0.0/0"]
18 security_group_id = aws_security_group.ldap.id
19 }
────────────────────────────────────────

../components/oracle_db_shared/s3.tf (terraform)

Tests: 14 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 7)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
../components/oracle_db_shared/s3.tf:188-200
via database.tf:11-28 (module.oracle_db_shared)
────────────────────────────────────────
188 ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 │
190 │ bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 │ tags = merge(
192 │ var.tags,
193 │ {
194 │ "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 │ },
196 └ {
...
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
../components/oracle_db_shared/s3.tf:188-200
via database.tf:11-28 (module.oracle_db_shared)
────────────────────────────────────────
188 ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 │
190 │ bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 │ tags = merge(
192 │ var.tags,
193 │ {
194 │ "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 │ },
196 └ {
...
────────────────────────────────────────

../components/oracle_db_shared/sg.tf (terraform)

Tests: 12 (SUCCESSES: 11, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
../components/oracle_db_shared/sg.tf:15
via ../components/oracle_db_shared/sg.tf:13-23 (aws_vpc_security_group_egress_rule.db_ec2_instance_https_out)
via database.tf:11-28 (module.oracle_db_shared)
────────────────────────────────────────
13 resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" {
14 security_group_id = aws_security_group.db_ec2.id
15 [ cidr_ipv4 = "0.0.0.0/0"
16 from_port = 443
17 to_port = 443
18 ip_protocol = "tcp"
19 description = "Allow communication out on port 443, e.g. for SSM"
20 tags = merge(var.tags,
21 { Name = "https-out" }
..
────────────────────────────────────────

../helpers/delius_microservice/sg.tf (terraform)

Tests: 8 (SUCCESSES: 5, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
../helpers/delius_microservice/sg.tf:97
via ../helpers/delius_microservice/sg.tf:90-99 (aws_vpc_security_group_egress_rule.custom_rules["3"])
via pwm.tf:1-119 (module.pwm)
────────────────────────────────────────
90 resource "aws_vpc_security_group_egress_rule" "custom_rules" {
91 for_each = { for index, rule in var.ecs_service_egress_security_group_ids : index => rule }
92 security_group_id = aws_security_group.ecs_service.id
93 description = "custom rule"
94 from_port = each.value.port
95 to_port = each.value.port
96 ip_protocol = each.value.ip_protocol
97 [ cidr_ipv4 = each.value.cidr_ipv4
98 referenced_security_group_id = each.value.referenced_security_group_id
99 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
../helpers/delius_microservice/sg.tf:97
via ../helpers/delius_microservice/sg.tf:90-99 (aws_vpc_security_group_egress_rule.custom_rules["2"])
via pwm.tf:1-119 (module.pwm)
────────────────────────────────────────
90 resource "aws_vpc_security_group_egress_rule" "custom_rules" {
91 for_each = { for index, rule in var.ecs_service_egress_security_group_ids : index => rule }
92 security_group_id = aws_security_group.ecs_service.id
93 description = "custom rule"
94 from_port = each.value.port
95 to_port = each.value.port
96 ip_protocol = each.value.ip_protocol
97 [ cidr_ipv4 = each.value.cidr_ipv4
98 referenced_security_group_id = each.value.referenced_security_group_id
99 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
../helpers/delius_microservice/sg.tf:47
via ../helpers/delius_microservice/sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
via pwm.tf:1-119 (module.pwm)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

pagerduty.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
pagerduty.tf:2-5
────────────────────────────────────────
2 ┌ resource "aws_sns_topic" "delius_core_alarms" {
3 │ name = "delius-core-${var.env_name}-alarms-topic"
4 │ tags = var.tags
5 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/delius_environment

*****************************

Running Checkov in terraform/environments/delius-core/modules/delius_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-23 10:30:28,233 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-08-23 10:30:28,233 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-08-23 10:30:28,233 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-08-23 10:30:28,234 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1144, Failed checks: 152, Skipped checks: 10

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms.aws_dms_endpoint.dms_audit_source_endpoint_db[0]
	File: /../components/dms/dms_db_endpoints.tf:26-37
	Calling File: /dms.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		26 | resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" {
		27 |   count                       = try(var.dms_config.audit_source_endpoint.read_database, null) == null ? 0 : 1
		28 |   database_name               = var.dms_config.audit_source_endpoint.read_database
		29 |   endpoint_id                 = "audit-data-from-${var.dms_config.audit_source_endpoint.read_database}"
		30 |   endpoint_type               = "source"
		31 |   engine_name                 = "oracle"
		32 |   username                    = local.dms_audit_username
		33 |   password                    = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
		34 |   server_name                 = join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])
		35 |   port                        = local.oracle_port
		36 |   extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.oracle_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
		37 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms.aws_dms_endpoint.dms_user_source_endpoint_db[0]
	File: /../components/dms/dms_db_endpoints.tf:41-52
	Calling File: /dms.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		41 | resource "aws_dms_endpoint" "dms_user_source_endpoint_db" {
		42 |   count                       = try(var.dms_config.user_source_endpoint.read_database, null) == null ? 0 : 1
		43 |   database_name               = var.dms_config.user_source_endpoint.read_database
		44 |   endpoint_id                 = "user-data-from-${var.dms_config.user_source_endpoint.read_database}"
		45 |   endpoint_type               = "source"
		46 |   engine_name                 = "oracle"
		47 |   username                    = local.dms_audit_username
		48 |   password                    = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
		49 |   server_name                 = join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])
		50 |   port                        = local.oracle_port
		51 |   extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
		52 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.dms.s3_bucket_dms_destination
	File: /../components/dms/dms_s3.tf:1-40
	Calling File: /dms.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "s3_bucket_dms_destination" {
		2  | 
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		4  | 
		5  |   bucket_prefix      = "${var.env_name}-dms-destination-bucket"
		6  |   versioning_enabled = true
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   lifecycle_rule = [
		13 |     {
		14 |       id      = "main"
		15 |       enabled = "Enabled"
		16 |       prefix  = ""
		17 | 
		18 |       tags = {
		19 |         rule      = "log"
		20 |         autoclean = "true"
		21 |       }
		22 | 
		23 |       noncurrent_version_transition = [
		24 |         {
		25 |           days          = 90
		26 |           storage_class = "STANDARD_IA"
		27 |           }, {
		28 |           days          = 365
		29 |           storage_class = "GLACIER"
		30 |         }
		31 |       ]
		32 | 
		33 |       noncurrent_version_expiration = {
		34 |         days = 730
		35 |       }
		36 |     }
		37 |   ]
		38 | 
		39 |   tags = var.tags
		40 | }

Check: CKV_AWS_222: "Ensure DMS replication instance gets all minor upgrade automatically"
	FAILED for resource: module.dms.aws_dms_replication_instance.dms_replication_instance
	File: /../components/dms/instance.tf:1-23
	Calling File: /dms.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-dms-instance-receives-all-minor-updates-automatically

		1  | resource "aws_dms_replication_instance" "dms_replication_instance" {
		2  |   allocated_storage            = 30
		3  |   apply_immediately            = true
		4  |   auto_minor_version_upgrade   = false
		5  |   availability_zone            = "${data.aws_region.current.name}a"
		6  |   engine_version               = var.dms_config.engine_version
		7  |   kms_key_arn                  = var.account_config.kms_keys.general_shared
		8  |   multi_az                     = false
		9  |   preferred_maintenance_window = "wed:22:00-wed:23:30"
		10 |   publicly_accessible          = false
		11 |   replication_instance_class   = var.dms_config.replication_instance_class
		12 |   replication_instance_id      = "${var.env_name}-dms-instance"
		13 |   replication_subnet_group_id  = aws_dms_replication_subnet_group.this.id
		14 |   network_type                 = "IPV4"
		15 | 
		16 |   tags = var.tags
		17 | 
		18 |   vpc_security_group_ids = [
		19 |     aws_security_group.dms.id
		20 |   ]
		21 | 
		22 | 
		23 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: module.ldap.aws_backup_vault.ldap_backup_vault
	File: /../components/ldap/backup.tf:1-9
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "ldap_backup_vault" {
		2 |   name = "${var.env_name}-ldap-efs-vault"
		3 |   tags = merge(
		4 |     var.tags,
		5 |     {
		6 |       Name = "${var.env_name}-ldap-efs-vault"
		7 |     },
		8 |   )
		9 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.delius_core_backup_policy
	File: /../components/ldap/backup.tf:69-89
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap.aws_iam_policy_document.delius_core_backup_policy
	File: /../components/ldap/backup.tf:69-89
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69 | data "aws_iam_policy_document" "delius_core_backup_policy" {
		70 |   statement {
		71 |     effect    = "Allow"
		72 |     resources = ["*"]
		73 | 
		74 |     actions = [
		75 |       "backup:CreateBackupPlan",
		76 |       "backup:CreateBackupSelection",
		77 |       "backup:StartBackupJob",
		78 |       "backup:DescribeBackupJob",
		79 |       "backup:ListBackupJobs",
		80 |       "backup:ListBackupVaults",
		81 |       "backup:ListRecoveryPointsByBackupVault",
		82 |       "backup:ListBackupPlanTemplates",
		83 |       "backup:DescribeRestoreJob",
		84 |       "backup:GetRecoveryPointRestoreMetadata",
		85 |       "backup:ListRestoreJobs",
		86 |       "backup:StartRestoreJob"
		87 |     ]
		88 |   }
		89 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.efs_backup_policy
	File: /../components/ldap/backup.tf:97-134
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap.aws_iam_policy_document.efs_backup_policy
	File: /../components/ldap/backup.tf:97-134
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.efs_backup_policy
	File: /../components/ldap/backup.tf:97-134
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		97  | data "aws_iam_policy_document" "efs_backup_policy" {
		98  |   statement {
		99  |     effect    = "Allow"
		100 |     resources = ["*"]
		101 | 
		102 |     actions = [
		103 |       "efs:DescribeFileSystems",
		104 |       "efs:CreateBackup",
		105 |       "efs:DeleteBackup",
		106 |       "efs:DescribeBackups",
		107 |       "efs:CreateTags",
		108 |       "efs:UntagResource",
		109 |       "efs:TagResource",
		110 |       "efs:DescribeTags",
		111 |       "elasticfilesystem:Backup",
		112 |       "elasticfilesystem:DescribeTags",
		113 |       "elasticfilesystem:CreateAccessPoint",
		114 |       "elasticfilesystem:CreateFileSystem",
		115 |       "elasticfilesystem:CreateMountTarget",
		116 |       "elasticfilesystem:DeleteAccessPoint",
		117 |       "elasticfilesystem:DeleteFileSystem",
		118 |       "elasticfilesystem:DeleteMountTarget",
		119 |       "elasticfilesystem:DescribeAccessPoints",
		120 |       "elasticfilesystem:DescribeFileSystemPolicy",
		121 |       "elasticfilesystem:DescribeFileSystems",
		122 |       "elasticfilesystem:DescribeLifecycleConfiguration",
		123 |       "elasticfilesystem:DescribeMountTargets",
		124 |       "elasticfilesystem:DescribeMountTargetSecurityGroups",
		125 |       "elasticfilesystem:PutBackupPolicy",
		126 |       "elasticfilesystem:PutFileSystemPolicy",
		127 |       "elasticfilesystem:PutLifecycleConfiguration",
		128 |       "elasticfilesystem:Restore",
		129 |       "elasticfilesystem:TagResource",
		130 |       "elasticfilesystem:UntagResource",
		131 |       "elasticfilesystem:UpdateFileSystem"
		132 |     ]
		133 |   }
		134 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.ldap.aws_cloudwatch_log_group.ldap_ecs
	File: /../components/ldap/cloudwatch.tf:1-4
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.ldap.aws_cloudwatch_log_group.ldap_ecs
	File: /../components/ldap/cloudwatch.tf:1-4
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ldap_ecs" {
		2 |   name              = "/ecs/ldap-${var.env_name}"
		3 |   retention_in_days = 5
		4 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.ldap.aws_cloudwatch_log_group.ldap_automation
	File: /../components/ldap/cloudwatch.tf:6-9
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.ldap.aws_cloudwatch_log_group.ldap_automation
	File: /../components/ldap/cloudwatch.tf:6-9
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		6 | resource "aws_cloudwatch_log_group" "ldap_automation" {
		7 |   name              = "/ecs/ldap-automation-${var.env_name}"
		8 |   retention_in_days = 5
		9 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap.s3_bucket_ldap_data_refresh
	File: /../components/ldap/datasync.tf:117-131
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		117 | module "s3_bucket_ldap_data_refresh" {
		118 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		119 |   bucket_name         = "${var.env_name}-ldap-data-refresh-incoming"
		120 |   versioning_enabled  = false
		121 |   ownership_controls  = "BucketOwnerEnforced"
		122 |   replication_enabled = false
		123 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		124 |   bucket_policy_v2    = local.ldap_refresh_bucket_policies
		125 | 
		126 |   providers = {
		127 |     aws.bucket-replication = aws.bucket-replication
		128 |   }
		129 | 
		130 |   tags = var.tags
		131 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.ldap_datasync_role_access
	File: /../components/ldap/datasync.tf:49-88
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap.aws_iam_policy_document.ldap_datasync_role_access
	File: /../components/ldap/datasync.tf:49-88
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.ldap.aws_iam_policy_document.ldap_datasync_role_access
	File: /../components/ldap/datasync.tf:49-88
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		49 | data "aws_iam_policy_document" "ldap_datasync_role_access" {
		50 |   statement {
		51 |     effect = "Allow"
		52 |     actions = [
		53 |       "backup:*",
		54 |       "datasync:*",
		55 |       "elasticfilesystem:*",
		56 |       "ec2:DescribeInstances",
		57 |       "ec2:CreateNetworkInterface",
		58 |       "ec2:AttachNetworkInterface",
		59 |       "ec2:DescribeNetworkInterfaces",
		60 |       "ec2:DeleteNetworkInterface"
		61 |     ]
		62 |     resources = ["*"]
		63 |   }
		64 |   statement {
		65 |     effect = "Allow"
		66 |     actions = [
		67 |       "kms:ListGrants",
		68 |       "kms:GenerateDataKey",
		69 |       "kms:Encrypt",
		70 |       "kms:DescribeKey",
		71 |       "kms:Decrypt",
		72 |       "kms:CreateGrant",
		73 |       "kms:ReEncryptTo",
		74 |       "kms:ReEncryptFrom",
		75 |       "kms:GenerateDataKeyWithoutPlaintext"
		76 |     ]
		77 |     resources = [var.account_config.kms_keys.general_shared]
		78 |   }
		79 |   statement {
		80 |     sid     = "allowAccessForDataSync"
		81 |     effect  = "Allow"
		82 |     actions = ["s3:*"]
		83 |     resources = [
		84 |       "arn:aws:s3:::*-ldap-data-refresh-incoming",
		85 |       "arn:aws:s3:::*-ldap-data-refresh-incoming/*",
		86 |     ]
		87 |   }
		88 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap.s3_bucket_migration
	File: /../components/ldap/s3.tf:1-99
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.ldap.s3_bucket_app_deployment
	File: /../components/ldap/s3.tf:102-141
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "s3_bucket_app_deployment" {
		103 | 
		104 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		105 | 
		106 |   bucket_prefix      = "ldap-${var.env_name}-deployment-state"
		107 |   versioning_enabled = true
		108 | 
		109 |   providers = {
		110 |     aws.bucket-replication = aws.bucket-replication
		111 |   }
		112 | 
		113 |   lifecycle_rule = [
		114 |     {
		115 |       id      = "main"
		116 |       enabled = "Enabled"
		117 |       prefix  = ""
		118 | 
		119 |       tags = {
		120 |         rule      = "log"
		121 |         autoclean = "true"
		122 |       }
		123 | 
		124 |       noncurrent_version_transition = [
		125 |         {
		126 |           days          = 90
		127 |           storage_class = "STANDARD_IA"
		128 |           }, {
		129 |           days          = 365
		130 |           storage_class = "GLACIER"
		131 |         }
		132 |       ]
		133 | 
		134 |       noncurrent_version_expiration = {
		135 |         days = 730
		136 |       }
		137 |     }
		138 |   ]
		139 | 
		140 |   tags = var.tags
		141 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.ldap.aws_ssm_parameter.delius_core_ldap_host
	File: /../components/ldap/secrets.tf:5-15
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		5  | resource "aws_ssm_parameter" "delius_core_ldap_host" {
		6  |   name  = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name)
		7  |   type  = "SecureString"
		8  |   value = "INITIAL_VALUE_OVERRIDDEN"
		9  |   lifecycle {
		10 |     ignore_changes = [
		11 |       value
		12 |     ]
		13 |   }
		14 |   tags = var.tags
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.ldap.aws_ssm_parameter.delius_core_ldap_principal
	File: /../components/ldap/secrets.tf:21-31
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		21 | resource "aws_ssm_parameter" "delius_core_ldap_principal" {
		22 |   name  = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name)
		23 |   type  = "SecureString"
		24 |   value = "INITIAL_VALUE_OVERRIDDEN"
		25 |   lifecycle {
		26 |     ignore_changes = [
		27 |       value
		28 |     ]
		29 |   }
		30 |   tags = var.tags
		31 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.ldap.aws_ssm_parameter.delius_core_ldap_seed_uri
	File: /../components/ldap/secrets.tf:37-47
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		37 | resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" {
		38 |   name  = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name)
		39 |   type  = "SecureString"
		40 |   value = "INITIAL_VALUE_OVERRIDDEN"
		41 |   lifecycle {
		42 |     ignore_changes = [
		43 |       value
		44 |     ]
		45 |   }
		46 |   tags = var.tags
		47 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.ldap.aws_ssm_parameter.delius_core_ldap_bind_password
	File: /../components/ldap/secrets.tf:53-63
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "delius_core_ldap_bind_password" {
		54 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		55 |   type  = "SecureString"
		56 |   value = "INITIAL_VALUE_OVERRIDDEN"
		57 |   lifecycle {
		58 |     ignore_changes = [
		59 |       value
		60 |     ]
		61 |   }
		62 |   tags = var.tags
		63 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.ldap.aws_ssm_parameter.delius_core_ldap_rbac_version
	File: /../components/ldap/secrets.tf:82-92
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		82 | resource "aws_ssm_parameter" "delius_core_ldap_rbac_version" {
		83 |   name  = format("/%s-%s/LDAP_RBAC_VERSION", var.account_info.application_name, var.env_name)
		84 |   type  = "SecureString"
		85 |   value = "INITIAL_VALUE_OVERRIDDEN"
		86 |   lifecycle {
		87 |     ignore_changes = [
		88 |       value
		89 |     ]
		90 |   }
		91 |   tags = var.tags
		92 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.ldap.aws_security_group_rule.efs_ingress_ldap
	File: /../components/ldap/sg.tf:65-72
	Calling File: /ldap.tf:1-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		65 | resource "aws_security_group_rule" "efs_ingress_ldap" {
		66 |   type                     = "ingress"
		67 |   from_port                = 2049
		68 |   to_port                  = 2049
		69 |   protocol                 = "tcp"
		70 |   source_security_group_id = module.efs.sg_id
		71 |   security_group_id        = aws_security_group.ldap.id
		72 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_primary[0].instance
	File: /../components/oracle_db_instance/instance.tf:23-66
	Calling File: /database.tf:30-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_primary[0].instance
	File: /../components/oracle_db_instance/instance.tf:23-66
	Calling File: /database.tf:30-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_standby.instance
	File: /../components/oracle_db_instance/instance.tf:23-66
	Calling File: /database.tf:77-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_standby.instance
	File: /../components/oracle_db_instance/instance.tf:23-66
	Calling File: /database.tf:77-125
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../components/oracle_db_shared/iam.tf:90-99
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../components/oracle_db_shared/iam.tf:90-99
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.instance_ssm
	File: /../components/oracle_db_shared/iam.tf:170-220
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.instance_ssm
	File: /../components/oracle_db_shared/iam.tf:170-220
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.instance_ssm
	File: /../components/oracle_db_shared/iam.tf:170-220
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared.s3_bucket_oracledb_backups
	File: /../components/oracle_db_shared/s3.tf:22-62
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared.s3_bucket_oracle_statistics[0]
	File: /../components/oracle_db_shared/s3.tf:323-364
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		323 | module "s3_bucket_oracle_statistics" {
		324 |   count = var.deploy_oracle_stats ? 1 : 0
		325 | 
		326 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		327 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		328 |   versioning_enabled  = false
		329 |   ownership_controls  = "BucketOwnerEnforced"
		330 |   replication_enabled = false
		331 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		332 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		333 |     "{}"
		334 |   ])
		335 |   providers = {
		336 |     aws.bucket-replication = aws.bucket-replication
		337 |   }
		338 | 
		339 |   lifecycle_rule = [
		340 |     {
		341 |       id      = "main"
		342 |       enabled = "Enabled"
		343 |       prefix  = ""
		344 | 
		345 |       tags = {
		346 |         rule      = "log"
		347 |         autoclean = "true"
		348 |       }
		349 | 
		350 |       transition = [
		351 |         {
		352 |           days          = 90
		353 |           storage_class = "STANDARD_IA"
		354 |         }
		355 |       ]
		356 | 
		357 |       expiration = {
		358 |         days = 365
		359 |       }
		360 |     }
		361 |   ]
		362 | 
		363 |   tags = var.tags
		364 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.database_dba_passwords
	File: /../components/oracle_db_shared/secrets.tf:15-26
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared.aws_iam_policy_document.database_dba_passwords
	File: /../components/oracle_db_shared/secrets.tf:15-26
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../components/oracle_db_shared/sg.tf:76-83
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../components/oracle_db_shared/sg.tf:85-91
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = 1521
		88 |   to_port           = 1521
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../components/oracle_db_shared/sg.tf:105-111
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../components/oracle_db_shared/sg.tf:113-119
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared.aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../components/oracle_db_shared/sg.tf:121-128
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared.s3_bucket_ssh_keys
	File: /../components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared.aws_ssm_parameter.rman_password
	File: /../components/oracle_db_shared/ssm.tf:1-10
	Calling File: /database.tf:11-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_ancillary
	File: /alb_ancillary.tf:39-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		39 | resource "aws_lb" "delius_core_ancillary" {
		40 |   # checkov:skip=CKV_AWS_91
		41 |   # checkov:skip=CKV2_AWS_28
		42 | 
		43 |   name               = "${var.env_name}-ancilliary-alb"
		44 |   internal           = false
		45 |   load_balancer_type = "application"
		46 |   security_groups    = [aws_security_group.ancillary_alb_security_group.id]
		47 |   subnets            = var.account_config.public_subnet_ids
		48 | 
		49 |   enable_deletion_protection = false
		50 |   drop_invalid_header_fields = true
		51 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_core_frontend
	File: /alb_frontend.tf:50-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		50 | resource "aws_lb" "delius_core_frontend" {
		51 |   # checkov:skip=CKV_AWS_91
		52 |   # checkov:skip=CKV2_AWS_28
		53 | 
		54 |   name               = "${var.app_name}-${var.env_name}-weblogic-alb"
		55 |   internal           = false
		56 |   load_balancer_type = "application"
		57 |   security_groups    = [aws_security_group.delius_frontend_alb_security_group.id]
		58 |   subnets            = var.account_config.public_subnet_ids
		59 | 
		60 |   enable_deletion_protection = false
		61 |   drop_invalid_header_fields = true
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /common_ecs.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.3.0"
		3 | 
		4 |   name = "delius-core-${var.env_name}-cluster"
		5 | 
		6 |   tags = local.tags
		7 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.cluster
	File: /common_ecs.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		9  | resource "aws_security_group" "cluster" {
		10 |   name_prefix = "ecs-cluster-${var.env_name}"
		11 |   vpc_id      = var.account_config.shared_vpc_id
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.pdfcreation_secret
	File: /newtech.tf:53-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		53 | resource "aws_ssm_parameter" "pdfcreation_secret" {
		54 |   name  = "/${var.env_name}/delius/newtech/web/params_secret_key"
		55 |   type  = "SecureString"
		56 |   value = "DEFAULT"
		57 |   lifecycle {
		58 |     ignore_changes = [value]
		59 |   }
		60 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:8-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		8  | module "pagerduty_core_alerts" {
		9  | 
		10 |   depends_on = [
		11 |     aws_sns_topic.delius_core_alarms
		12 |   ]
		13 | 
		14 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		15 |   sns_topics                = [aws_sns_topic.delius_core_alarms.name]
		16 |   pagerduty_integration_key = var.pagerduty_integration_key
		17 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_core_alarms
	File: /pagerduty.tf:2-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		2 | resource "aws_sns_topic" "delius_core_alarms" {
		3 |   name = "delius-core-${var.env_name}-alarms-topic"
		4 |   tags = var.tags
		5 | }

Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.pwm_ses_smtp_user
	File: /pwm.tf:178-180
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		178 | resource "aws_iam_user" "pwm_ses_smtp_user" {
		179 |   name = "${var.env_name}-pwm-smtp-user"
		180 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.pwm_ses_smtp_user
	File: /pwm.tf:186-203
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		186 | resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
		187 |   name = "${var.env_name}-pwm-ses-smtp-user-policy"
		188 |   user = aws_iam_user.pwm_ses_smtp_user.name
		189 | 
		190 |   policy = jsonencode({
		191 |     Version = "2012-10-17",
		192 |     Statement = [
		193 |       {
		194 |         Effect = "Allow",
		195 |         Action = [
		196 |           "ses:SendRawEmail",
		197 |           "ses:SendEmail"
		198 |         ],
		199 |         Resource = "*"
		200 |       }
		201 |     ]
		202 |   })
		203 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.pwm_ses_smtp_user
	File: /pwm.tf:186-203
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		186 | resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
		187 |   name = "${var.env_name}-pwm-ses-smtp-user-policy"
		188 |   user = aws_iam_user.pwm_ses_smtp_user.name
		189 | 
		190 |   policy = jsonencode({
		191 |     Version = "2012-10-17",
		192 |     Statement = [
		193 |       {
		194 |         Effect = "Allow",
		195 |         Action = [
		196 |           "ses:SendRawEmail",
		197 |           "ses:SendEmail"
		198 |         ],
		199 |         Resource = "*"
		200 |       }
		201 |     ]
		202 |   })
		203 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.pwm_ses_smtp_user
	File: /pwm.tf:205-215
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		205 | resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
		206 |   name = "/${var.env_name}/pwm/ses_smtp"
		207 |   type = "SecureString"
		208 |   value = jsonencode({
		209 |     user              = aws_iam_user.pwm_ses_smtp_user.name,
		210 |     key               = aws_iam_access_key.pwm_ses_smtp_user.id,
		211 |     secret            = aws_iam_access_key.pwm_ses_smtp_user.secret
		212 |     ses_smtp_user     = aws_iam_access_key.pwm_ses_smtp_user.id
		213 |     ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
		214 |   })
		215 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:311-323
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		311 | module "s3_bucket_ssm_sessions" {
		312 | 
		313 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		314 | 
		315 |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		316 |   versioning_enabled = false
		317 | 
		318 |   providers = {
		319 |     aws.bucket-replication = aws
		320 |   }
		321 | 
		322 |   tags = var.tags
		323 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_bind_password
	File: /ssm.tf:17-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		17 | resource "aws_ssm_parameter" "ldap_bind_password" {
		18 |   name  = format("/%s-%s/LDAP_BIND_PASSWORD", var.account_info.application_name, var.env_name)
		19 |   type  = "SecureString"
		20 |   value = "INITIAL_VALUE_OVERRIDDEN"
		21 |   lifecycle {
		22 |     ignore_changes = [
		23 |       value
		24 |     ]
		25 |   }
		26 |   tags = local.tags
		27 | 
		28 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.ldap_admin_password
	File: /ssm.tf:30-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		30 | resource "aws_ssm_parameter" "ldap_admin_password" {
		31 |   name  = format("/%s-%s/LDAP_ADMIN_PASSWORD", var.account_info.application_name, var.env_name)
		32 |   type  = "SecureString"
		33 |   value = "INITIAL_VALUE_OVERRIDDEN"
		34 |   lifecycle {
		35 |     ignore_changes = [
		36 |       value
		37 |     ]
		38 |   }
		39 |   tags = local.tags
		40 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_user
	File: /ssm.tf:42-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		42 | resource "aws_ssm_parameter" "oasys_user" {
		43 |   name  = format("/%s-%s/oasys_user", var.account_info.application_name, var.env_name)
		44 |   type  = "SecureString"
		45 |   value = "INITIAL_VALUE_OVERRIDDEN"
		46 |   lifecycle {
		47 |     ignore_changes = [
		48 |       value
		49 |     ]
		50 |   }
		51 |   tags = local.tags
		52 | 
		53 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.oasys_password
	File: /ssm.tf:55-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		55 | resource "aws_ssm_parameter" "oasys_password" {
		56 |   name  = format("/%s-%s/oasys_password", var.account_info.application_name, var.env_name)
		57 |   type  = "SecureString"
		58 |   value = "INITIAL_VALUE_OVERRIDDEN"
		59 |   lifecycle {
		60 |     ignore_changes = [
		61 |       value
		62 |     ]
		63 |   }
		64 |   tags = local.tags
		65 | 
		66 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user
	File: /ssm.tf:68-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		68 | resource "aws_ssm_parameter" "iaps_user" {
		69 |   name  = format("/%s-%s/iaps_user", var.account_info.application_name, var.env_name)
		70 |   type  = "SecureString"
		71 |   value = "INITIAL_VALUE_OVERRIDDEN"
		72 |   lifecycle {
		73 |     ignore_changes = [
		74 |       value
		75 |     ]
		76 |   }
		77 |   tags = local.tags
		78 | 
		79 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.iaps_user_password
	File: /ssm.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		81 | resource "aws_ssm_parameter" "iaps_user_password" {
		82 |   name  = format("/%s-%s/iaps_user_password", var.account_info.application_name, var.env_name)
		83 |   type  = "SecureString"
		84 |   value = "INITIAL_VALUE_OVERRIDDEN"
		85 |   lifecycle {
		86 |     ignore_changes = [
		87 |       value
		88 |     ]
		89 |   }
		90 |   tags = local.tags
		91 | 
		92 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user
	File: /ssm.tf:94-105
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		94  | resource "aws_ssm_parameter" "dss_user" {
		95  |   name  = format("/%s-%s/dss_user", var.account_info.application_name, var.env_name)
		96  |   type  = "SecureString"
		97  |   value = "INITIAL_VALUE_OVERRIDDEN"
		98  |   lifecycle {
		99  |     ignore_changes = [
		100 |       value
		101 |     ]
		102 |   }
		103 |   tags = local.tags
		104 | 
		105 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.dss_user_password
	File: /ssm.tf:107-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		107 | resource "aws_ssm_parameter" "dss_user_password" {
		108 |   name  = format("/%s-%s/dss_user_password", var.account_info.application_name, var.env_name)
		109 |   type  = "SecureString"
		110 |   value = "INITIAL_VALUE_OVERRIDDEN"
		111 |   lifecycle {
		112 |     ignore_changes = [
		113 |       value
		114 |     ]
		115 |   }
		116 |   tags = local.tags
		117 | 
		118 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user
	File: /ssm.tf:120-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		120 | resource "aws_ssm_parameter" "casenotes_user" {
		121 |   name  = format("/%s-%s/casenotes_user", var.account_info.application_name, var.env_name)
		122 |   type  = "SecureString"
		123 |   value = "INITIAL_VALUE_OVERRIDDEN"
		124 |   lifecycle {
		125 |     ignore_changes = [
		126 |       value
		127 |     ]
		128 |   }
		129 |   tags = local.tags
		130 | 
		131 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.casenotes_user_password
	File: /ssm.tf:133-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		133 | resource "aws_ssm_parameter" "casenotes_user_password" {
		134 |   name  = format("/%s-%s/casenotes_user_password", var.account_info.application_name, var.env_name)
		135 |   type  = "SecureString"
		136 |   value = "INITIAL_VALUE_OVERRIDDEN"
		137 |   lifecycle {
		138 |     ignore_changes = [
		139 |       value
		140 |     ]
		141 |   }
		142 |   tags = local.tags
		143 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.test_user_password
	File: /ssm.tf:145-156
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		145 | resource "aws_ssm_parameter" "test_user_password" {
		146 |   name  = format("/%s-%s/test_user_password", var.account_info.application_name, var.env_name)
		147 |   type  = "SecureString"
		148 |   value = "INITIAL_VALUE_OVERRIDDEN"
		149 |   lifecycle {
		150 |     ignore_changes = [
		151 |       value
		152 |     ]
		153 |   }
		154 | 
		155 |   tags = local.tags
		156 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.performance_test_user_password
	File: /ssm.tf:158-169
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		158 | resource "aws_ssm_parameter" "performance_test_user_password" {
		159 |   name  = format("/%s-%s/performance_test_user_password", var.account_info.application_name, var.env_name)
		160 |   type  = "SecureString"
		161 |   value = "INITIAL_VALUE_OVERRIDDEN"
		162 |   lifecycle {
		163 |     ignore_changes = [
		164 |       value
		165 |     ]
		166 |   }
		167 | 
		168 |   tags = local.tags
		169 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_api_client_secret
	File: /ssm.tf:171-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		171 | resource "aws_ssm_parameter" "delius_core_gdpr_api_client_secret" {
		172 |   name  = format("/%s-%s/gdpr_api_client_secret", var.account_info.application_name, var.env_name)
		173 |   type  = "SecureString"
		174 |   value = "INITIAL_VALUE_OVERRIDDEN"
		175 | 
		176 |   lifecycle {
		177 |     ignore_changes = [
		178 |       value
		179 |     ]
		180 |   }
		181 | 
		182 |   tags = local.tags
		183 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_pwm_config_password
	File: /ssm.tf:185-197
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		185 | resource "aws_ssm_parameter" "delius_core_pwm_config_password" {
		186 |   name  = format("/%s-%s/pwm_config_password", var.account_info.application_name, var.env_name)
		187 |   type  = "SecureString"
		188 |   value = "INITIAL_VALUE_OVERRIDDEN"
		189 | 
		190 |   lifecycle {
		191 |     ignore_changes = [
		192 |       value
		193 |     ]
		194 |   }
		195 | 
		196 |   tags = local.tags
		197 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_api_client_secret
	File: /ssm.tf:199-211
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		199 | resource "aws_ssm_parameter" "delius_core_merge_api_client_secret" {
		200 |   name  = format("/%s-%s/merge_api_client_secret", var.account_info.application_name, var.env_name)
		201 |   type  = "SecureString"
		202 |   value = "INITIAL_VALUE_OVERRIDDEN"
		203 | 
		204 |   lifecycle {
		205 |     ignore_changes = [
		206 |       value
		207 |     ]
		208 |   }
		209 | 
		210 |   tags = local.tags
		211 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_weblogic_ndelius_domain_umt_client_secret
	File: /ssm.tf:217-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		217 | resource "aws_ssm_parameter" "delius_core_weblogic_ndelius_domain_umt_client_secret" {
		218 |   name  = format("/%s-%s/umt_client_secret", var.account_info.application_name, var.env_name)
		219 |   type  = "SecureString"
		220 |   value = "INITIAL_VALUE_OVERRIDDEN"
		221 | 
		222 |   lifecycle {
		223 |     ignore_changes = [
		224 |       value
		225 |     ]
		226 |   }
		227 | 
		228 |   tags = local.tags
		229 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_umt_jwt_secret
	File: /ssm.tf:231-243
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		231 | resource "aws_ssm_parameter" "delius_core_umt_jwt_secret" {
		232 |   name  = format("/%s-%s/umt_jwt_secret", var.account_info.application_name, var.env_name)
		233 |   type  = "SecureString"
		234 |   value = "INITIAL_VALUE_OVERRIDDEN"
		235 | 
		236 |   lifecycle {
		237 |     ignore_changes = [
		238 |       value
		239 |     ]
		240 |   }
		241 | 
		242 |   tags = local.tags
		243 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_umt_delius_secret
	File: /ssm.tf:245-257
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		245 | resource "aws_ssm_parameter" "delius_core_umt_delius_secret" {
		246 |   name  = format("/%s-%s/umt_delius_secret", var.account_info.application_name, var.env_name)
		247 |   type  = "SecureString"
		248 |   value = "INITIAL_VALUE_OVERRIDDEN"
		249 | 
		250 |   lifecycle {
		251 |     ignore_changes = [
		252 |       value
		253 |     ]
		254 |   }
		255 | 
		256 |   tags = local.tags
		257 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_db_admin_password
	File: /ssm.tf:259-269
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		259 | resource "aws_ssm_parameter" "delius_core_gdpr_db_admin_password" {
		260 |   name  = format("/%s-%s/gdpr/api/db_admin_password", var.account_info.application_name, var.env_name)
		261 |   type  = "SecureString"
		262 |   value = "INITIAL_VALUE_OVERRIDDEN"
		263 |   lifecycle {
		264 |     ignore_changes = [
		265 |       value
		266 |     ]
		267 |   }
		268 |   tags = local.tags
		269 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_gdpr_db_pool_password
	File: /ssm.tf:271-281
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		271 | resource "aws_ssm_parameter" "delius_core_gdpr_db_pool_password" {
		272 |   name  = format("/%s-%s/gdpr/api/db_pool_password", var.account_info.application_name, var.env_name)
		273 |   type  = "SecureString"
		274 |   value = "INITIAL_VALUE_OVERRIDDEN"
		275 |   lifecycle {
		276 |     ignore_changes = [
		277 |       value
		278 |     ]
		279 |   }
		280 |   tags = local.tags
		281 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_db_admin_password
	File: /ssm.tf:283-293
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		283 | resource "aws_ssm_parameter" "delius_core_merge_db_admin_password" {
		284 |   name  = format("/%s-%s/merge/api/db_admin_password", var.account_info.application_name, var.env_name)
		285 |   type  = "SecureString"
		286 |   value = "INITIAL_VALUE_OVERRIDDEN"
		287 |   lifecycle {
		288 |     ignore_changes = [
		289 |       value
		290 |     ]
		291 |   }
		292 |   tags = local.tags
		293 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.delius_core_merge_db_pool_password
	File: /ssm.tf:295-305
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		295 | resource "aws_ssm_parameter" "delius_core_merge_db_pool_password" {
		296 |   name  = format("/%s-%s/merge/api/db_pool_password", var.account_info.application_name, var.env_name)
		297 |   type  = "SecureString"
		298 |   value = "INITIAL_VALUE_OVERRIDDEN"
		299 |   lifecycle {
		300 |     ignore_changes = [
		301 |       value
		302 |     ]
		303 |   }
		304 |   tags = local.tags
		305 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.usermanagement_secret
	File: /weblogic_eis.tf:124-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		124 | resource "aws_ssm_parameter" "usermanagement_secret" {
		125 |   name  = "/${var.env_name}/delius/umt/umt/delius_secret"
		126 |   type  = "SecureString"
		127 |   value = "DEFAULT"
		128 |   lifecycle {
		129 |     ignore_changes = [value]
		130 |   }
		131 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jdbc_url
	File: /weblogic_params.tf:6-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "jdbc_url" {
		7  |   name  = format("/%s-%s/JDBC_URL", var.account_info.application_name, var.env_name)
		8  |   type  = "SecureString"
		9  |   value = "jdbc:oracle:thin:@//INITIAL_HOSTNAME_OVERRIDEN:INITIAL_PORT_OVERRIDDEN"
		10 |   tags  = local.tags
		11 |   lifecycle {
		12 |     ignore_changes = [
		13 |       value
		14 |     ]
		15 |   }
		16 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jdbc_password
	File: /weblogic_params.tf:23-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		23 | resource "aws_ssm_parameter" "jdbc_password" {
		24 |   name  = format("/%s-%s/JDBC_PASSWORD", var.account_info.application_name, var.env_name)
		25 |   type  = "SecureString"
		26 |   value = "INITIAL_VALUE_OVERRIDDEN"
		27 |   tags  = local.tags
		28 |   lifecycle {
		29 |     ignore_changes = [
		30 |       value
		31 |     ]
		32 |   }
		33 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.weblogic_admin_username
	File: /weblogic_params.tf:40-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		40 | resource "aws_ssm_parameter" "weblogic_admin_username" {
		41 |   name  = format("/%s/%s/DEV_USERNAME", var.account_info.application_name, var.env_name)
		42 |   type  = "SecureString"
		43 |   value = "INITIAL_VALUE_OVERRIDDEN"
		44 |   lifecycle {
		45 |     ignore_changes = [
		46 |       value
		47 |     ]
		48 |   }
		49 |   tags = local.tags
		50 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.weblogic_admin_password
	File: /weblogic_params.tf:56-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		56 | resource "aws_ssm_parameter" "weblogic_admin_password" {
		57 |   name  = format("/%s/%s/DEV_PASSWORD", var.account_info.application_name, var.env_name)
		58 |   type  = "SecureString"
		59 |   value = "INITIAL_VALUE_OVERRIDDEN"
		60 |   lifecycle {
		61 |     ignore_changes = [
		62 |       value
		63 |     ]
		64 |   }
		65 |   tags = local.tags
		66 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.pwm.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.pwm.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.weblogic.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.weblogic.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.weblogic_eis.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.weblogic_eis.aws_cloudwatch_log_group.ecs
	File: /../helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.pwm.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-25
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.pwm.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:35-72
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-25
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:35-72
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic_eis.container_definition
	File: /../helpers/delius_microservice/ecs.tf:1-25
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.weblogic_eis.ecs_service
	File: /../helpers/delius_microservice/ecs.tf:35-72
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.pwm.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:110-114
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:116-123
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.weblogic.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:110-114
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:116-123
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.weblogic_eis.aws_lb.delius_microservices
	File: /../helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../helpers/delius_microservice/load_balancing.tf:110-114
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../helpers/delius_microservice/load_balancing.tf:116-123
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:51-59
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.pwm.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:61-69
	Calling File: /pwm.tf:1-119
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:51-59
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:61-69
	Calling File: /weblogic.tf:1-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:51-59
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.weblogic_eis.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../helpers/delius_microservice/sg.tf:61-69
	Calling File: /weblogic_eis.tf:1-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ldap.module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../components/ldap/ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ldap.module.ldap_ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../components/ldap/ldap_policies.tf:1-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.pwm.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.pwm.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.weblogic_eis.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.weblogic_eis.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../helpers/ecs_policies/main.tf:104-122
	Calling File: /../helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.ldap.module.efs.aws_efs_access_point.ldap
	File: /../helpers/efs/main.tf:26-37
	Calling File: /../components/ldap/efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.ldap.module.efs.aws_efs_access_point.ldap
	File: /../helpers/efs/main.tf:26-37
	Calling File: /../components/ldap/efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.ldap.module.nlb.aws_lb.this
	File: /../helpers/nlb/main.tf:1-12
	Calling File: /../components/ldap/nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.ldap.module.nlb.aws_lb.this
	File: /../helpers/nlb/main.tf:1-12
	Calling File: /../components/ldap/nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.ldap.module.nlb.aws_lb.this
	File: /../helpers/nlb/main.tf:1-12
	Calling File: /../components/ldap/nlb.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1  | resource "aws_lb" "this" {
		2  |   name                       = "${var.app_name}-${var.env_name}-nlb"
		3  |   internal                   = var.internal
		4  |   load_balancer_type         = var.load_balancer_type
		5  |   subnets                    = var.subnet_ids
		6  |   drop_invalid_header_fields = var.drop_invalid_header_fields
		7  |   enable_deletion_protection = var.enable_deletion_protection
		8  | 
		9  | 
		10 | 
		11 |   tags = var.tags
		12 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.ssm_params_pdf_creation.aws_ssm_parameter.this
	File: /../helpers/ssm_params/main.tf:1-9
	Calling File: /pdfcreation.tf:64-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1 | resource "aws_ssm_parameter" "this" {
		2 |   for_each = toset([for item in var.params_list : item])
		3 |   name     = "/${var.environment_name}/${var.application_name}/${each.value}"
		4 |   type     = "SecureString"
		5 |   value    = "change_me"
		6 |   lifecycle {
		7 |     ignore_changes = [value]
		8 |   }
		9 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.weblogic_eis_google_analytics_id
	File: /weblogic_eis.tf:109-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		109 | resource "aws_ssm_parameter" "weblogic_eis_google_analytics_id" {
		110 |   name  = "/${var.env_name}/delius/monitoring/analytics/google_id"
		111 |   type  = "String"
		112 |   value = "DEFAULT"
		113 |   lifecycle {
		114 |     ignore_changes = [value]
		115 |   }
		116 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.pwm.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.weblogic.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.weblogic_eis.aws_db_instance.this
	File: /../helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: module.ldap.module.nlb.aws_lb_listener.ldaps
	File: /../helpers/nlb/main.tf:32-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		32 | resource "aws_lb_listener" "ldaps" {
		33 |   load_balancer_arn = aws_lb.this.arn
		34 |   port              = var.secure_port
		35 |   protocol          = "TLS"
		36 | 
		37 |   default_action {
		38 |     type             = "forward"
		39 |     target_group_arn = aws_lb_target_group.this.arn
		40 |   }
		41 | 
		42 |   certificate_arn = var.certificate_arn
		43 | 
		44 |   tags = merge(
		45 |     var.tags,
		46 |     {
		47 |       Name = var.app_name
		48 |     }
		49 |   )
		50 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared.aws_secretsmanager_secret.database_dba_passwords
	File: /../components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared.aws_secretsmanager_secret.database_application_passwords
	File: /../components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.ldap.module.ldap_admin_password.aws_secretsmanager_secret.this
	File: /../helpers/secret/main.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "this" {
		2 |   name        = var.name
		3 |   description = var.description
		4 |   kms_key_id  = var.kms_key_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.ldap.aws_security_group.ldap
	File: /../components/ldap/sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ldap" {
		2 |   name        = "${var.env_name}-ldap-sg"
		3 |   description = "Security group for the ${var.env_name} ldap service"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared.aws_security_group.db_ec2
	File: /../components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster
	File: /common_ecs.tf:9-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		9  | resource "aws_security_group" "cluster" {
		10 |   name_prefix = "ecs-cluster-${var.env_name}"
		11 |   vpc_id      = var.account_config.shared_vpc_id
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.pwm.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.weblogic.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.weblogic_eis.aws_security_group.ecs_service
	File: /../helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared.aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/delius_environment

*****************************

Running tflint in terraform/environments/delius-core/modules/delius_environment
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/delius-core/modules/delius_environment/pwm.tf line 88:
  88:     "SECURITY_KEY" = "${base64encode(uuid())}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/delius_environment

*****************************

Running Trivy in terraform/environments/delius-core/modules/delius_environment
2024-08-23T10:30:10Z	INFO	[db] Need to update DB
2024-08-23T10:30:10Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-23T10:30:13Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-23T10:30:13Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-23T10:30:13Z	INFO	Need to update the built-in policies
2024-08-23T10:30:13Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-23T10:30:13Z	INFO	[secret] Secret scanning is enabled
2024-08-23T10:30:13Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T10:30:13Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T10:30:25Z	INFO	Number of language-specific files	num=0
2024-08-23T10:30:25Z	INFO	Detected config files	num=28

../components/ldap/sg.tf (terraform)
====================================
Tests: 6 (SUCCESSES: 5, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ../components/ldap/sg.tf:17
   via ../components/ldap/sg.tf:11-19 (aws_security_group_rule.allow_all_egress)
    via ldap.tf:1-26 (module.ldap)
────────────────────────────────────────
  11   resource "aws_security_group_rule" "allow_all_egress" {
  12     description       = "Allow all outbound traffic to any IPv4 address"
  13     type              = "egress"
  14     from_port         = 0
  15     to_port           = 0
  16     protocol          = "-1"
  17 [   cidr_blocks       = ["0.0.0.0/0"]
  18     security_group_id = aws_security_group.ldap.id
  19   }
────────────────────────────────────────



../components/oracle_db_shared/s3.tf (terraform)
================================================
Tests: 14 (SUCCESSES: 5, FAILURES: 2, EXCEPTIONS: 7)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 ../components/oracle_db_shared/s3.tf:188-200
   via database.tf:11-28 (module.oracle_db_shared)
────────────────────────────────────────
 188resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
 189190 │   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
 191 │   tags = merge(
 192 │     var.tags,
 193 │     {
 194"Name" = "${local.oracle_backup_bucket_prefix}-inventory"
 195 │     },
 196 └     {
 ...   
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 ../components/oracle_db_shared/s3.tf:188-200
   via database.tf:11-28 (module.oracle_db_shared)
────────────────────────────────────────
 188 ┌ resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
 189190 │   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
 191 │   tags = merge(
 192 │     var.tags,
 193 │     {
 194"Name" = "${local.oracle_backup_bucket_prefix}-inventory"
 195 │     },
 196 └     {
 ...   
────────────────────────────────────────



../components/oracle_db_shared/sg.tf (terraform)
================================================
Tests: 12 (SUCCESSES: 11, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ../components/oracle_db_shared/sg.tf:15
   via ../components/oracle_db_shared/sg.tf:13-23 (aws_vpc_security_group_egress_rule.db_ec2_instance_https_out)
    via database.tf:11-28 (module.oracle_db_shared)
────────────────────────────────────────
  13   resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" {
  14     security_group_id = aws_security_group.db_ec2.id
  15 [   cidr_ipv4         = "0.0.0.0/0"
  16     from_port         = 443
  17     to_port           = 443
  18     ip_protocol       = "tcp"
  19     description       = "Allow communication out on port 443, e.g. for SSM"
  20     tags = merge(var.tags,
  21       { Name = "https-out" }
  ..   
────────────────────────────────────────



../helpers/delius_microservice/sg.tf (terraform)
================================================
Tests: 8 (SUCCESSES: 5, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ../helpers/delius_microservice/sg.tf:97
   via ../helpers/delius_microservice/sg.tf:90-99 (aws_vpc_security_group_egress_rule.custom_rules["3"])
    via pwm.tf:1-119 (module.pwm)
────────────────────────────────────────
  90   resource "aws_vpc_security_group_egress_rule" "custom_rules" {
  91     for_each                     = { for index, rule in var.ecs_service_egress_security_group_ids : index => rule }
  92     security_group_id            = aws_security_group.ecs_service.id
  93     description                  = "custom rule"
  94     from_port                    = each.value.port
  95     to_port                      = each.value.port
  96     ip_protocol                  = each.value.ip_protocol
  97 [   cidr_ipv4                    = each.value.cidr_ipv4
  98     referenced_security_group_id = each.value.referenced_security_group_id
  99   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ../helpers/delius_microservice/sg.tf:97
   via ../helpers/delius_microservice/sg.tf:90-99 (aws_vpc_security_group_egress_rule.custom_rules["2"])
    via pwm.tf:1-119 (module.pwm)
────────────────────────────────────────
  90   resource "aws_vpc_security_group_egress_rule" "custom_rules" {
  91     for_each                     = { for index, rule in var.ecs_service_egress_security_group_ids : index => rule }
  92     security_group_id            = aws_security_group.ecs_service.id
  93     description                  = "custom rule"
  94     from_port                    = each.value.port
  95     to_port                      = each.value.port
  96     ip_protocol                  = each.value.ip_protocol
  97 [   cidr_ipv4                    = each.value.cidr_ipv4
  98     referenced_security_group_id = each.value.referenced_security_group_id
  99   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ../helpers/delius_microservice/sg.tf:47
   via ../helpers/delius_microservice/sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
    via pwm.tf:1-119 (module.pwm)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────



pagerduty.tf (terraform)
========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 pagerduty.tf:2-5
────────────────────────────────────────
   2 ┌ resource "aws_sns_topic" "delius_core_alarms" {
   3 │   name = "delius-core-${var.env_name}-alarms-topic"
   4 │   tags = var.tags
   5 └ }
────────────────────────────────────────


trivy_exitcode=1

@andrewmooreio andrewmooreio merged commit 32b6ce0 into main Aug 23, 2024
12 of 16 checks passed
@andrewmooreio andrewmooreio deleted the NIT-1457-delius-core-ensure-stage-preprod-deploy-cleanly branch August 23, 2024 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants