Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Actions Code Formatter workflow #7611

Closed
wants to merge 1 commit into from
Closed

GitHub Actions Code Formatter workflow #7611

wants to merge 1 commit into from

Conversation

github-actions[bot]
Copy link
Contributor

This pull request includes updates from the GitHub Actions Code Formatter workflow. Please review the changes and merge if everything looks good.

@github-actions github-actions bot added the code quality For PRs that improve, reformat, or refactor code label Aug 26, 2024
@github-actions github-actions bot requested review from a team as code owners August 26, 2024 04:48
dms1981
dms1981 approved these changes Aug 27, 2024
View reviewed changes
Copy link
Contributor

@dms1981 dms1981 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Linting changes only

@dms1981 dms1981 closed this Aug 27, 2024
@dms1981 dms1981 reopened this Aug 27, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Aug 27, 2024
@dms1981 dms1981 had a problem deploying to corporate-staff-rostering-development August 27, 2024 08:53 — with GitHub Actions Failure
@dms1981 dms1981 temporarily deployed to electronic-monitoring-data-development August 27, 2024 08:53 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor Author

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/corporate-staff-rostering
terraform/environments/delius-core/modules/helpers/delius_microservice
terraform/environments/electronic-monitoring-data
terraform/environments/mojfin
terraform/environments/nomis

Running Trivy in terraform/environments/corporate-staff-rostering
2024-08-27T08:54:09Z INFO [db] Need to update DB
2024-08-27T08:54:09Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-27T08:54:11Z INFO [vuln] Vulnerability scanning is enabled
2024-08-27T08:54:11Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:11Z INFO Need to update the built-in policies
2024-08-27T08:54:11Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-27T08:54:11Z INFO [secret] Secret scanning is enabled
2024-08-27T08:54:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:11Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-08-27T08:54:15Z INFO Number of language-specific files num=0
2024-08-27T08:54:15Z INFO Detected config files num=8
trivy_exitcode=0

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-27T08:54:15Z INFO [vuln] Vulnerability scanning is enabled
2024-08-27T08:54:15Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:15Z INFO [secret] Secret scanning is enabled
2024-08-27T08:54:15Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:15Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:17Z INFO Number of language-specific files num=0
2024-08-27T08:54:17Z INFO Detected config files num=5

sg.tf (terraform)

Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:47
via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/environments/electronic-monitoring-data
2024-08-27T08:54:17Z INFO [vuln] Vulnerability scanning is enabled
2024-08-27T08:54:17Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:17Z INFO [secret] Secret scanning is enabled
2024-08-27T08:54:17Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:17Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:17Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-08-27T08:54:21Z INFO Number of language-specific files num=1
2024-08-27T08:54:21Z INFO [pip] Detecting vulnerabilities...
2024-08-27T08:54:21Z INFO Detected config files num=24

data_store.tf (terraform)

Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
data_store.tf:23-31
────────────────────────────────────────
23 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
24 │ bucket = aws_s3_bucket.data_store.id
25 │
26 │ rule {
27 │ apply_server_side_encryption_by_default {
28 │ sse_algorithm = "AES256"
29 │ }
30 │ }
31 └ }
────────────────────────────────────────

dms_data_validation_glue_job.tf (terraform)

Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
37 ┌ resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
38 │ bucket_prefix = "glue-jobs-py-scripts-"
39 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_s3_target_ep.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
dms_s3_target_ep.tf:20-28
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
21 │ bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

dms_security_groups.tf (terraform)

Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:17
via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
14 resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
15 security_group_id = aws_security_group.dms_ri_security_group.id
16
17 [ cidr_ipv4 = "0.0.0.0/0"
18 ip_protocol = "tcp"
19 from_port = 0
20 to_port = 65535
21 description = "DMS Terraform"
22 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
dms_security_groups.tf:62
via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
59 resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
60 security_group_id = aws_security_group.glue_rds_conn_security_group.id
61
62 [ cidr_ipv4 = "0.0.0.0/0"
63 ip_protocol = "tcp"
64 from_port = 0
65 to_port = 65535
66 description = "Required ports open for Glue-RDS-Connection"
67 }
────────────────────────────────────────

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

lambdas_security_groups.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
lambdas_security_groups.tf:12
via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
10 resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
11 security_group_id = aws_security_group.lambda_db_security_group.id
12 [ cidr_ipv4 = "0.0.0.0/0"
13 ip_protocol = "tcp"
14 from_port = 0
15 to_port = 65535
16 description = "Lambda outbound access"
17 }
────────────────────────────────────────

modules/landing_zone/main.tf (terraform)

Tests: 14 (SUCCESSES: 12, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/landing_zone/main.tf:40-48
via main.tf:30-54 (module.buddi)
────────────────────────────────────────
40 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
41 │ bucket = aws_s3_bucket.landing_bucket.id
42 │
43 │ rule {
44 │ apply_server_side_encryption_by_default {
45 │ sse_algorithm = "AES256"
46 │ }
47 │ }
48 └ }
────────────────────────────────────────

modules/s3_log_bucket/main.tf (terraform)

Tests: 38 (SUCCESSES: 36, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via modules/landing_zone/main.tf:108-118 (module.log_bucket)
via main.tf:30-54 (module.buddi)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
modules/s3_log_bucket/main.tf:20-28
via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
20 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
21 │ bucket = aws_s3_bucket.this.id
22 │
23 │ rule {
24 │ apply_server_side_encryption_by_default {
25 │ sse_algorithm = "AES256"
26 │ }
27 │ }
28 └ }
────────────────────────────────────────

trivy_exitcode=2

Running Trivy in terraform/environments/mojfin
2024-08-27T08:54:22Z INFO [vuln] Vulnerability scanning is enabled
2024-08-27T08:54:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:22Z INFO [secret] Secret scanning is enabled
2024-08-27T08:54:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:22Z INFO Number of language-specific files num=0
2024-08-27T08:54:22Z INFO Detected config files num=7

mojfin-monitoring.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
mojfin-monitoring.tf:257-265
────────────────────────────────────────
257 ┌ resource "aws_sns_topic" "mojfin_alerting_topic" {
258 │ name = local.sns_topic_name
259 │ tags = merge(
260 │ local.tags,
261 │ {
262 │ Name = local.sns_topic_name
263 │ }
264 │ )
265 └ }
────────────────────────────────────────

mojfin-networking.tf (terraform)

Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
mojfin-networking.tf:77
via mojfin-networking.tf:73-78 (egress)
via mojfin-networking.tf:12-84 (aws_security_group.mojfin)
────────────────────────────────────────
12 resource "aws_security_group" "mojfin" {
..
77 [ cidr_blocks = ["0.0.0.0/0"]
..
84 }
────────────────────────────────────────

mojfin-s3.tf (terraform)

Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
mojfin-s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "mojfin_rds_oracle" {
2 │ bucket = "mojfin-oracle-rds-${local.environment}"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
mojfin-s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "mojfin_rds_oracle" {
2 │ bucket = "mojfin-oracle-rds-${local.environment}"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
mojfin-s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "mojfin_rds_oracle" {
2 │ bucket = "mojfin-oracle-rds-${local.environment}"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
mojfin-s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "mojfin_rds_oracle" {
2 │ bucket = "mojfin-oracle-rds-${local.environment}"
3 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
mojfin-s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "mojfin_rds_oracle" {
2 │ bucket = "mojfin-oracle-rds-${local.environment}"
3 └ }
────────────────────────────────────────

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
mojfin-s3.tf:1-3
────────────────────────────────────────
1 ┌ resource "aws_s3_bucket" "mojfin_rds_oracle" {
2 │ bucket = "mojfin-oracle-rds-${local.environment}"
3 └ }
────────────────────────────────────────

trivy_exitcode=3

Running Trivy in terraform/environments/nomis
2024-08-27T08:54:23Z INFO [vuln] Vulnerability scanning is enabled
2024-08-27T08:54:23Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:23Z INFO [secret] Secret scanning is enabled
2024-08-27T08:54:23Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:23Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:25Z INFO Number of language-specific files num=0
2024-08-27T08:54:25Z INFO Detected config files num=6
trivy_exitcode=3

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering
terraform/environments/delius-core/modules/helpers/delius_microservice
terraform/environments/electronic-monitoring-data
terraform/environments/mojfin
terraform/environments/nomis

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-27 08:54:28,038 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 0, Skipped checks: 27


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-27 08:54:40,311 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-08-27 08:54:40,311 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 167, Failed checks: 15, Skipped checks: 2

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_service
	File: /ecs.tf:35-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:90-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.from_vpc
	File: /load_balancing.tf:110-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /load_balancing.tf:116-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /sg.tf:51-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /sg.tf:61-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-122
	Calling File: /ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-27 08:54:43,387 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab51:None (for external modules, the --download-external-modules flag is required)
2024-08-27 08:54:43,387 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 1781, Failed checks: 121, Skipped checks: 11

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: rds_bastion
	File: /bastion_linux.tf:6-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "rds_bastion" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "rds-bastion"
		16 | 
		17 |   # public keys
		18 |   public_key_data = local.public_key_data.keys[local.environment]
		19 | 
		20 |   # logs
		21 |   log_auto_clean       = "Enabled"
		22 |   log_standard_ia_days = 30  # days before moving to IA storage
		23 |   log_glacier_days     = 60  # days before moving to Glacier
		24 |   log_expiry_days      = 180 # days before log expiration
		25 | 
		26 |   # bastion
		27 |   # instance_name = "s3_rds_bastion_linux"
		28 | 
		29 |   allow_ssh_commands = true
		30 |   app_name           = var.networking[0].application
		31 |   business_unit      = local.vpc_name
		32 |   subnet_set         = local.subnet_set
		33 |   environment        = local.environment
		34 |   region             = "eu-west-2"
		35 |   volume_size        = 20
		36 |   # tags
		37 |   tags_common = local.tags
		38 |   tags_prefix = terraform.workspace
		39 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: zip_bastion
	File: /bastion_linux.tf:153-187
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		153 | module "zip_bastion" {
		154 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		155 | 
		156 |   providers = {
		157 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		158 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		159 |   }
		160 | 
		161 |   # s3 - used for logs and user ssh public keys
		162 |   bucket_name   = "zip-bastion"
		163 |   instance_name = "zip_bastion_linux"
		164 |   # public keys
		165 |   public_key_data = local.public_key_data.keys[local.environment]
		166 | 
		167 |   # logs
		168 |   log_auto_clean       = "Enabled"
		169 |   log_standard_ia_days = 30  # days before moving to IA storage
		170 |   log_glacier_days     = 60  # days before moving to Glacier
		171 |   log_expiry_days      = 180 # days before log expiration
		172 | 
		173 |   allow_ssh_commands = true
		174 |   # autoscaling_cron   = {
		175 |   #   "down": "0 20 * * *",
		176 |   #   "up": "*/30 * * * *"
		177 |   # }
		178 |   app_name      = var.networking[0].application
		179 |   business_unit = local.vpc_name
		180 |   subnet_set    = local.subnet_set
		181 |   environment   = local.environment
		182 |   region        = "eu-west-2"
		183 |   volume_size   = 96
		184 |   # tags
		185 |   tags_common = local.tags
		186 |   tags_prefix = terraform.workspace
		187 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:129-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		129 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		130 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		131 |   function_name = "calculate-checksum-lambda"
		132 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		133 |   handler       = "calculate_checksum_lambda.handler"
		134 |   runtime       = "python3.12"
		135 |   memory_size   = 4096
		136 |   timeout       = 900
		137 | 
		138 |   environment {
		139 |     variables = {
		140 |       Checksum = var.checksum_algorithm
		141 |     }
		142 |   }
		143 | 
		144 |   tags = local.tags
		145 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:196-207
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		196 | resource "aws_lambda_function" "summarise_zip_lambda" {
		197 |   filename         = "lambdas/summarise_zip_lambda.zip"
		198 |   function_name    = "summarise-zip-lambda"
		199 |   role             = aws_iam_role.summarise_zip_lambda.arn
		200 |   handler          = "summarise_zip_lambda.handler"
		201 |   runtime          = "python3.12"
		202 |   timeout          = 900
		203 |   memory_size      = 1024
		204 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		205 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		206 |   tags             = local.tags
		207 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:98-101
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		98  | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		99  |   name              = "dms-dv-glue-job"
		100 |   retention_in_days = 14
		101 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:98-101
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		98  | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		99  |   name              = "dms-dv-glue-job"
		100 |   retention_in_days = 14
		101 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:103-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		103 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		104 |   name              = "dms-dv-glue-job-v2"
		105 |   retention_in_days = 14
		106 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2
	File: /dms_data_validation_glue_job.tf:103-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		103 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" {
		104 |   name              = "dms-dv-glue-job-v2"
		105 |   retention_in_days = 14
		106 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:108-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		108 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		109 |   name              = "rds-to-s3-parquet-migration"
		110 |   retention_in_days = 14
		111 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:108-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		108 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" {
		109 |   name              = "rds-to-s3-parquet-migration"
		110 |   retention_in_days = 14
		111 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.resizing_parquet_files
	File: /dms_data_validation_glue_job.tf:113-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		113 | resource "aws_cloudwatch_log_group" "resizing_parquet_files" {
		114 |   name              = "resizing-parquet-files"
		115 |   retention_in_days = 14
		116 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.resizing_parquet_files
	File: /dms_data_validation_glue_job.tf:113-116
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		113 | resource "aws_cloudwatch_log_group" "resizing_parquet_files" {
		114 |   name              = "resizing-parquet-files"
		115 |   retention_in_days = 14
		116 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v2
	File: /dms_data_validation_glue_job.tf:119-172
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d
	File: /dms_data_validation_glue_job.tf:180-233
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration
	File: /dms_data_validation_glue_job.tf:236-300
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration_monthly
	File: /dms_data_validation_glue_job.tf:304-355
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.resizing_parquet_files
	File: /dms_data_validation_glue_job.tf:358-410
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:413-441
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		413 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		414 |   name              = "catalog-dv-table-glue-job"
		415 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		416 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		417 |   glue_version      = "4.0"
		418 |   worker_type       = "G.1X"
		419 |   number_of_workers = 2
		420 |   default_arguments = {
		421 |     "--parquet_output_bucket_name"       = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
		422 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		423 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		424 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		425 |     "--enable-continuous-cloudwatch-log" = "true"
		426 |     "--enable-continuous-log-filter"     = "true"
		427 |     "--enable-metrics"                   = ""
		428 |   }
		429 |   command {
		430 |     python_version  = "3"
		431 |     script_location = "s3://${aws_s3_bucket.dms_dv_glue_job_s3_bucket.id}/create_or_replace_dv_table.py"
		432 |   }
		433 | 
		434 |   tags = merge(
		435 |     local.tags,
		436 |     {
		437 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		438 |     }
		439 |   )
		440 | 
		441 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:69-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		69 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		70 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		71 | 
		72 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		73 |   ip_protocol                  = "tcp"
		74 |   from_port                    = 0
		75 |   to_port                      = 65535
		76 |   description                  = "Required ports open for Glue-RDS-Connection"
		77 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:117-132
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		117 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		118 |   statement {
		119 |     effect = "Allow"
		120 |     actions = [
		121 |       "ec2:CreateNetworkInterface",
		122 |       "ec2:DescribeNetworkInterfaces",
		123 |       "ec2:DeleteNetworkInterface",
		124 |       "ec2:DescribeVpcEndpoints",
		125 |       "ec2:DescribeSubnets",
		126 |       "ec2:DescribeVpcAttribute",
		127 |       "ec2:DescribeRouteTables",
		128 |       "ec2:DescribeSecurityGroups"
		129 |     ]
		130 |     resources = ["*"]
		131 |   }
		132 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:491-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:491-548
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_glue_access
	File: /server_backups.tf:123-131
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		123 | resource "aws_vpc_security_group_ingress_rule" "db_glue_access" {
		124 | 
		125 |   security_group_id            = aws_security_group.db.id
		126 |   description                  = "glue"
		127 |   ip_protocol                  = "tcp"
		128 |   from_port                    = 0
		129 |   to_port                      = 65535
		130 |   referenced_security_group_id = aws_security_group.db.id
		131 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.send_database_to_ap_athena_queries
	File: /step_functions_iam.tf:151-196
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		151 | data "aws_iam_policy_document" "send_database_to_ap_athena_queries" {
		152 |   statement {
		153 |     effect = "Allow"
		154 | 
		155 |     actions = [
		156 |       "athena:startQueryExecution",
		157 |       "athena:getQueryExecution",
		158 |       "athena:getQueryResults"
		159 |     ]
		160 | 
		161 |     resources = [
		162 |       "*"
		163 |     ]
		164 |   }
		165 |   statement {
		166 |     effect = "Allow"
		167 | 
		168 |     actions = [
		169 |       "s3:PutObject",
		170 |       "s3:GetObject",
		171 |       "s3:ListBucket",
		172 |       "s3:GetBucketLocation"
		173 |     ]
		174 | 
		175 |     resources = [
		176 |       module.athena-s3-bucket.bucket.arn,
		177 |       "${module.athena-s3-bucket.bucket.arn}/*",
		178 |       "${aws_s3_bucket.dms_dv_parquet_s3_bucket.arn}/*",
		179 |       aws_s3_bucket.dms_dv_parquet_s3_bucket.arn
		180 |     ]
		181 |   }
		182 |   statement {
		183 |     effect = "Allow"
		184 | 
		185 |     actions = [
		186 |       "glue:GetDatabase",
		187 |       "glue:GetTable",
		188 |       "glue:GetPartitions",
		189 |       "glue:GetTables"
		190 |     ]
		191 | 
		192 |     resources = [
		193 |       "*"
		194 |     ]
		195 |   }
		196 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.athena_layer
	File: /step_functions_main.tf:1-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		1  | resource "aws_sfn_state_machine" "athena_layer" {
		2  |   name     = "athena-layer"
		3  |   role_arn = aws_iam_role.step_functions_role.arn
		4  | 
		5  |   definition = jsonencode(
		6  |     {
		7  |       "StartAt" : "GetMetadataList",
		8  |       "States" : {
		9  |         "GetMetadataList" : {
		10 |           "Type" : "Task",
		11 |           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",
		12 |           "ResultPath" : "$.metadata_list",
		13 |           "Next" : "LoopThroughMetadataList"
		14 |         },
		15 |         "LoopThroughMetadataList" : {
		16 |           "Type" : "Map",
		17 |           "ItemsPath" : "$.metadata_list.metadata_list",
		18 |           "MaxConcurrency" : 4,
		19 |           "Iterator" : {
		20 |             "StartAt" : "CreateAthenaTable",
		21 |             "States" : {
		22 |               "CreateAthenaTable" : {
		23 |                 "Type" : "Task",
		24 |                 "Resource" : "${module.create_athena_table.lambda_function_arn}",
		25 |                 "ResultPath" : "$.result",
		26 |                 "End" : true
		27 |               }
		28 |             }
		29 |           },
		30 |           "End" : true
		31 |         }
		32 |       }
		33 |     }
		34 |   )
		35 | 
		36 | }

Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.send_database_to_ap
	File: /step_functions_main.tf:85-171
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.buddi.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.buddi.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.buddi.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.buddi.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:46-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		46 | resource "aws_security_group" "glue_rds_conn_security_group" {
		47 |   name        = "glue-rds-sqlserver-connection-tf"
		48 |   description = "Secuity Group for Glue-RDS-Connection"
		49 |   vpc_id      = data.aws_vpc.shared.id
		50 | 
		51 |   tags = merge(
		52 |     local.tags,
		53 |     {
		54 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		55 |     }
		56 |   )
		57 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.buddi.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.buddi.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.data_store
	File: /data_store.tf:17-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		17 | resource "aws_s3_bucket" "data_store" {
		18 |   bucket_prefix = "em-data-store-"
		19 | 
		20 |   tags = local.tags
		21 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.buddi.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.data_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.buddi.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.g4s.module.log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.dms-premigrate-assess-store-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.json-directory-structure-bucket-logs.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.unzipped_store_log_bucket.aws_s3_bucket.this
	File: /modules/s3_log_bucket/main.tf:2-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		2  | resource "aws_s3_bucket" "this" {
		3  |   bucket = "${var.source_bucket.id}-logs"
		4  | 
		5  |   force_destroy = true
		6  | 
		7  |   tags = merge(
		8  |     var.local_tags,
		9  |     var.tags,
		10 |   )
		11 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_parquet_s3_bucket
	File: /dms_data_validation_glue_job.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_dv_parquet_s3_bucket" {
		2  |   bucket_prefix = "dms-data-validation-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "S3 Bucket for Athena Parquet Tables",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.dms_target_ep_s3_bucket
	File: /dms_s3_target_ep.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1  | resource "aws_s3_bucket" "dms_target_ep_s3_bucket" {
		2  |   bucket_prefix = "dms-rds-to-parquet-"
		3  | 
		4  |   tags = merge(
		5  |     local.tags,
		6  |     {
		7  |       Resource_Type = "DMS Target Endpoint S3 Bucket",
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.buddi.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.g4s.aws_s3_bucket.landing_bucket
	File: /modules/landing_zone/main.tf:29-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		29 | resource "aws_s3_bucket" "landing_bucket" {
		30 |   bucket = "${var.supplier}-${random_string.this.result}"
		31 | 
		32 |   tags = merge(
		33 |     var.local_tags,
		34 |     {
		35 |       supplier = var.supplier,
		36 |     },
		37 |   )
		38 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.dms_dv_glue_job_s3_bucket
	File: /dms_data_validation_glue_job.tf:37-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		37 | resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
		38 |   bucket_prefix = "glue-jobs-py-scripts-"
		39 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/mojfin
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 65, Failed checks: 22, Skipped checks: 0

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.secret["secret1"]
	File: /mojfin-dblink_secret.tf:6-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "secret" {
		7  |   for_each    = local.dblink_secrets
		8  |   name        = each.value.name
		9  |   description = each.value.description
		10 |   type        = "SecureString"
		11 |   value       = each.value.secret_value
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { "Name" = each.value.name }
		16 |   )
		17 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.secret["secret2"]
	File: /mojfin-dblink_secret.tf:6-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "secret" {
		7  |   for_each    = local.dblink_secrets
		8  |   name        = each.value.name
		9  |   description = each.value.description
		10 |   type        = "SecureString"
		11 |   value       = each.value.secret_value
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { "Name" = each.value.name }
		16 |   )
		17 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.secret["secret3"]
	File: /mojfin-dblink_secret.tf:6-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "secret" {
		7  |   for_each    = local.dblink_secrets
		8  |   name        = each.value.name
		9  |   description = each.value.description
		10 |   type        = "SecureString"
		11 |   value       = each.value.secret_value
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { "Name" = each.value.name }
		16 |   )
		17 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.secret["secret4"]
	File: /mojfin-dblink_secret.tf:6-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "secret" {
		7  |   for_each    = local.dblink_secrets
		8  |   name        = each.value.name
		9  |   description = each.value.description
		10 |   type        = "SecureString"
		11 |   value       = each.value.secret_value
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { "Name" = each.value.name }
		16 |   )
		17 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.secret["secret5"]
	File: /mojfin-dblink_secret.tf:6-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "secret" {
		7  |   for_each    = local.dblink_secrets
		8  |   name        = each.value.name
		9  |   description = each.value.description
		10 |   type        = "SecureString"
		11 |   value       = each.value.secret_value
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { "Name" = each.value.name }
		16 |   )
		17 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.secret["secret6"]
	File: /mojfin-dblink_secret.tf:6-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "secret" {
		7  |   for_each    = local.dblink_secrets
		8  |   name        = each.value.name
		9  |   description = each.value.description
		10 |   type        = "SecureString"
		11 |   value       = each.value.secret_value
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { "Name" = each.value.name }
		16 |   )
		17 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.secret["secret7"]
	File: /mojfin-dblink_secret.tf:6-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		6  | resource "aws_ssm_parameter" "secret" {
		7  |   for_each    = local.dblink_secrets
		8  |   name        = each.value.name
		9  |   description = each.value.description
		10 |   type        = "SecureString"
		11 |   value       = each.value.secret_value
		12 | 
		13 |   tags = merge(
		14 |     local.tags,
		15 |     { "Name" = each.value.name }
		16 |   )
		17 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.mojfin_alerting_topic
	File: /mojfin-monitoring.tf:257-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		257 | resource "aws_sns_topic" "mojfin_alerting_topic" {
		258 |   name = local.sns_topic_name
		259 |   tags = merge(
		260 |     local.tags,
		261 |     {
		262 |       Name = local.sns_topic_name
		263 |     }
		264 |   )
		265 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.mojfin
	File: /mojfin-networking.tf:12-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.appdb1
	File: /mojfin-rds.tf:44-93
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.appdb1
	File: /mojfin-rds.tf:44-93
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.appdb1
	File: /mojfin-rds.tf:44-93
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.appdb1
	File: /mojfin-rds.tf:44-93
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_password_secret
	File: /mojfin-secrets.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		6  | resource "aws_secretsmanager_secret" "rds_password_secret" {
		7  |   name        = "${local.application_name}/app/db-master-password"
		8  |   description = "This secret has a dynamically generated password."
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}/app/db-master-password" },
		12 |   )
		13 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.mojfin_rds_oracle
	File: /mojfin-s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		1 | resource "aws_s3_bucket" "mojfin_rds_oracle" {
		2 |   bucket = "mojfin-oracle-rds-${local.environment}"
		3 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.mojfin_rds_oracle
	File: /mojfin-s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		1 | resource "aws_s3_bucket" "mojfin_rds_oracle" {
		2 |   bucket = "mojfin-oracle-rds-${local.environment}"
		3 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.mojfin_rds_oracle
	File: /mojfin-s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		1 | resource "aws_s3_bucket" "mojfin_rds_oracle" {
		2 |   bucket = "mojfin-oracle-rds-${local.environment}"
		3 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.mojfin_rds_oracle
	File: /mojfin-s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		1 | resource "aws_s3_bucket" "mojfin_rds_oracle" {
		2 |   bucket = "mojfin-oracle-rds-${local.environment}"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_password_secret
	File: /mojfin-secrets.tf:6-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		6  | resource "aws_secretsmanager_secret" "rds_password_secret" {
		7  |   name        = "${local.application_name}/app/db-master-password"
		8  |   description = "This secret has a dynamically generated password."
		9  |   tags = merge(
		10 |     local.tags,
		11 |     { "Name" = "${local.application_name}/app/db-master-password" },
		12 |   )
		13 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.mojfin_rds_oracle
	File: /mojfin-s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		1 | resource "aws_s3_bucket" "mojfin_rds_oracle" {
		2 |   bucket = "mojfin-oracle-rds-${local.environment}"
		3 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.mojfin_rds_oracle
	File: /mojfin-s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		1 | resource "aws_s3_bucket" "mojfin_rds_oracle" {
		2 |   bucket = "mojfin-oracle-rds-${local.environment}"
		3 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.mojfin_rds_oracle
	File: /mojfin-s3.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		1 | resource "aws_s3_bucket" "mojfin_rds_oracle" {
		2 |   bucket = "mojfin-oracle-rds-${local.environment}"
		3 | }


checkov_exitcode=3

*****************************

Running Checkov in terraform/environments/nomis
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 120, Failed checks: 0, Skipped checks: 18


checkov_exitcode=3

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering
terraform/environments/delius-core/modules/helpers/delius_microservice
terraform/environments/electronic-monitoring-data
terraform/environments/mojfin
terraform/environments/nomis

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf line 1:
   1: resource "random_id" "suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
14 issue(s) found:

Warning: `checksum_algorithm` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 118:
 118: variable "checksum_algorithm" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 190:
 190: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 62:
  62:             "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 63:
  63:             "${module.athena-s3-bucket.bucket.arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/dms_iam.tf line 64:
  64:             "${module.dms-premigrate-assess-store.bucket.arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 11:
  11:           "Resource" : "${module.get_metadata_from_rds_lambda.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 24:
  24:                 "Resource" : "${module.create_athena_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 98:
  98:             "WorkGroup" : "${aws_athena_workgroup.default.name}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 114:
 114:           "Resource" : "${module.query_output_to_list.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 127:
 127:                 "Resource" : "${module.get_file_keys_for_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 141:
 141:                       "Resource" : "${module.send_table_to_ap.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 152:
 152:                 "Resource" : "${module.update_log_table.lambda_function_arn}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/electronic-monitoring-data/step_functions_main.tf line 164:
 164:             "WorkGroup" : "${aws_athena_workgroup.default.name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=4

*****************************

Running tflint in terraform/environments/mojfin
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/mojfin/mojfin-dblink_secret.tf line 1:
   1: resource "random_password" "apps_ro_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/mojfin/mojfin-rds.tf line 90:
  90:     { "Name" = "${local.application_name}" },

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=6

*****************************

Running tflint in terraform/environments/nomis
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=6

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/corporate-staff-rostering
terraform/environments/delius-core/modules/helpers/delius_microservice
terraform/environments/electronic-monitoring-data
terraform/environments/mojfin
terraform/environments/nomis

*****************************

Running Trivy in terraform/environments/corporate-staff-rostering
2024-08-27T08:54:09Z	INFO	[db] Need to update DB
2024-08-27T08:54:09Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-27T08:54:11Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-27T08:54:11Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:11Z	INFO	Need to update the built-in policies
2024-08-27T08:54:11Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-27T08:54:11Z	INFO	[secret] Secret scanning is enabled
2024-08-27T08:54:11Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:11Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:11Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-08-27T08:54:15Z	INFO	Number of language-specific files	num=0
2024-08-27T08:54:15Z	INFO	Detected config files	num=8
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-08-27T08:54:15Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-27T08:54:15Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:15Z	INFO	[secret] Secret scanning is enabled
2024-08-27T08:54:15Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:15Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:17Z	INFO	Number of language-specific files	num=0
2024-08-27T08:54:17Z	INFO	Detected config files	num=5

sg.tf (terraform)
=================
Tests: 3 (SUCCESSES: 2, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:47
   via sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-08-27T08:54:17Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-27T08:54:17Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:17Z	INFO	[secret] Secret scanning is enabled
2024-08-27T08:54:17Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:17Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:17Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-08-27T08:54:21Z	INFO	Number of language-specific files	num=1
2024-08-27T08:54:21Z	INFO	[pip] Detecting vulnerabilities...
2024-08-27T08:54:21Z	INFO	Detected config files	num=24

data_store.tf (terraform)
=========================
Tests: 11 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 2)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 data_store.tf:23-31
────────────────────────────────────────
  23resource "aws_s3_bucket_server_side_encryption_configuration" "data_store" {
  24 │   bucket = aws_s3_bucket.data_store.id
  2526 │   rule {
  27 │     apply_server_side_encryption_by_default {
  28 │       sse_algorithm = "AES256"
  29 │     }
  30 │   }
  31 └ }
────────────────────────────────────────



dms_data_validation_glue_job.tf (terraform)
===========================================
Tests: 13 (SUCCESSES: 8, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38 │   bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38 │   bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38 │   bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 dms_data_validation_glue_job.tf:37-39
────────────────────────────────────────
  37resource "aws_s3_bucket" "dms_dv_glue_job_s3_bucket" {
  38 │   bucket_prefix = "glue-jobs-py-scripts-"
  39 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_data_validation_glue_job.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_dv_parquet_s3_bucket" {
  21 │   bucket = aws_s3_bucket.dms_dv_parquet_s3_bucket.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_s3_target_ep.tf (terraform)
===============================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 dms_s3_target_ep.tf:20-28
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "dms_target_ep_s3_bucket" {
  21 │   bucket = aws_s3_bucket.dms_target_ep_s3_bucket.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────



dms_security_groups.tf (terraform)
==================================
Tests: 6 (SUCCESSES: 4, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 0, CRITICAL: 2)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:17
   via dms_security_groups.tf:14-22 (aws_vpc_security_group_egress_rule.dms_all_tcp_outbound)
────────────────────────────────────────
  14   resource "aws_vpc_security_group_egress_rule" "dms_all_tcp_outbound" {
  15     security_group_id = aws_security_group.dms_ri_security_group.id
  16   
  17 [   cidr_ipv4   = "0.0.0.0/0"
  18     ip_protocol = "tcp"
  19     from_port   = 0
  20     to_port     = 65535
  21     description = "DMS Terraform"
  22   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 dms_security_groups.tf:62
   via dms_security_groups.tf:59-67 (aws_vpc_security_group_egress_rule.glue_rds_conn_outbound)
────────────────────────────────────────
  59   resource "aws_vpc_security_group_egress_rule" "glue_rds_conn_outbound" {
  60     security_group_id = aws_security_group.glue_rds_conn_security_group.id
  61   
  62 [   cidr_ipv4   = "0.0.0.0/0"
  63     ip_protocol = "tcp"
  64     from_port   = 0
  65     to_port     = 65535
  66     description = "Required ports open for Glue-RDS-Connection"
  67   }
────────────────────────────────────────



lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────



lambdas_security_groups.tf (terraform)
======================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 lambdas_security_groups.tf:12
   via lambdas_security_groups.tf:10-17 (aws_vpc_security_group_egress_rule.lambda_all_outbound)
────────────────────────────────────────
  10   resource "aws_vpc_security_group_egress_rule" "lambda_all_outbound" {
  11     security_group_id = aws_security_group.lambda_db_security_group.id
  12 [   cidr_ipv4         = "0.0.0.0/0"
  13     ip_protocol       = "tcp"
  14     from_port         = 0
  15     to_port           = 65535
  16     description       = "Lambda outbound access"
  17   }
────────────────────────────────────────



modules/landing_zone/main.tf (terraform)
========================================
Tests: 14 (SUCCESSES: 12, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/landing_zone/main.tf:40-48
   via main.tf:30-54 (module.buddi)
────────────────────────────────────────
  40resource "aws_s3_bucket_server_side_encryption_configuration" "landing_bucket" {
  41 │   bucket = aws_s3_bucket.landing_bucket.id
  4243 │   rule {
  44 │     apply_server_side_encryption_by_default {
  45 │       sse_algorithm = "AES256"
  46 │     }
  47 │   }
  48 └ }
────────────────────────────────────────



modules/s3_log_bucket/main.tf (terraform)
=========================================
Tests: 38 (SUCCESSES: 36, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via modules/landing_zone/main.tf:108-118 (module.log_bucket)
    via main.tf:30-54 (module.buddi)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 modules/s3_log_bucket/main.tf:20-28
   via data_store.tf:5-11 (module.data_store_log_bucket)
────────────────────────────────────────
  20resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  21 │   bucket = aws_s3_bucket.this.id
  2223 │   rule {
  24 │     apply_server_side_encryption_by_default {
  25 │       sse_algorithm = "AES256"
  26 │     }
  27 │   }
  28 └ }
────────────────────────────────────────


trivy_exitcode=2

*****************************

Running Trivy in terraform/environments/mojfin
2024-08-27T08:54:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-27T08:54:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:22Z	INFO	[secret] Secret scanning is enabled
2024-08-27T08:54:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:22Z	INFO	Number of language-specific files	num=0
2024-08-27T08:54:22Z	INFO	Detected config files	num=7

mojfin-monitoring.tf (terraform)
================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 mojfin-monitoring.tf:257-265
────────────────────────────────────────
 257resource "aws_sns_topic" "mojfin_alerting_topic" {
 258 │   name = local.sns_topic_name
 259 │   tags = merge(
 260 │     local.tags,
 261 │     {
 262 │       Name = local.sns_topic_name
 263 │     }
 264 │   )
 265 └ }
────────────────────────────────────────



mojfin-networking.tf (terraform)
================================
Tests: 8 (SUCCESSES: 7, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 mojfin-networking.tf:77
   via mojfin-networking.tf:73-78 (egress)
    via mojfin-networking.tf:12-84 (aws_security_group.mojfin)
────────────────────────────────────────
  12   resource "aws_security_group" "mojfin" {
  ..   
  77 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  84   }
────────────────────────────────────────



mojfin-s3.tf (terraform)
========================
Tests: 7 (SUCCESSES: 1, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 mojfin-s3.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "mojfin_rds_oracle" {
   2 │   bucket = "mojfin-oracle-rds-${local.environment}"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 mojfin-s3.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "mojfin_rds_oracle" {
   2 │   bucket = "mojfin-oracle-rds-${local.environment}"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 mojfin-s3.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "mojfin_rds_oracle" {
   2 │   bucket = "mojfin-oracle-rds-${local.environment}"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 mojfin-s3.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "mojfin_rds_oracle" {
   2 │   bucket = "mojfin-oracle-rds-${local.environment}"
   3 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 mojfin-s3.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "mojfin_rds_oracle" {
   2 │   bucket = "mojfin-oracle-rds-${local.environment}"
   3 └ }
────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 mojfin-s3.tf:1-3
────────────────────────────────────────
   1resource "aws_s3_bucket" "mojfin_rds_oracle" {
   2 │   bucket = "mojfin-oracle-rds-${local.environment}"
   3 └ }
────────────────────────────────────────


trivy_exitcode=3

*****************************

Running Trivy in terraform/environments/nomis
2024-08-27T08:54:23Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-27T08:54:23Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-27T08:54:23Z	INFO	[secret] Secret scanning is enabled
2024-08-27T08:54:23Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-27T08:54:23Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-27T08:54:25Z	INFO	Number of language-specific files	num=0
2024-08-27T08:54:25Z	INFO	Detected config files	num=6
trivy_exitcode=3

@dms1981 dms1981 requested a review from a team August 27, 2024 08:57
@dms1981 dms1981 requested a review from a team August 27, 2024 09:00
dms1981
dms1981 approved these changes Aug 27, 2024
View reviewed changes
Copy link
Contributor

@dms1981 dms1981 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ASTRobinson
Copy link
Contributor

superseded by #7654

@ASTRobinson ASTRobinson closed this Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SteveLinden SteveLinden SteveLinden approved these changes

@jacobwoffenden jacobwoffenden jacobwoffenden approved these changes

@dms1981 dms1981 dms1981 approved these changes

Assignees
No one assigned
Labels
code quality For PRs that improve, reformat, or refactor code environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ASTRobinson @dms1981 @jacobwoffenden @SteveLinden @modernisation-platform-ci