Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TM-452] OAS: created new clean DB and kept old #7681

Merged
merged 1 commit into from
Sep 20, 2024
Merged

[TM-452] OAS: created new clean DB and kept old #7681

merged 1 commit into from
Sep 20, 2024

Conversation

vladimir-kovalyov
Copy link
Contributor

No description provided.

@vladimir-kovalyov vladimir-kovalyov requested review from a team as code owners September 4, 2024 09:18
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 4, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 4, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/oas/modules/rds
terraform/environments/oas

Running Trivy in terraform/environments/oas/modules/rds
2024-09-04T09:20:58Z INFO [db] Need to update DB
2024-09-04T09:20:58Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-04T09:21:00Z INFO [vuln] Vulnerability scanning is enabled
2024-09-04T09:21:00Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-04T09:21:00Z INFO Need to update the built-in policies
2024-09-04T09:21:00Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-04T09:21:01Z INFO [secret] Secret scanning is enabled
2024-09-04T09:21:01Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-04T09:21:01Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-04T09:21:01Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-04T09:21:01Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="allocated_storage, allow_major_version_upgrade, application_name, auto_minor_version_upgrade, availability_zone, backup_retention_period, backup_window, character_set_name, db_password_rotation_period, deletion_protection, engine, engine_version, environment, identifier_name, instance_class, license_model, lz_vpc_cidr, maintenance_window, managementcidr, multi_az, rds_kms_key_arn, rds_snapshot_arn, region, storage_type, tags, username, vpc_shared_cidr, vpc_shared_id, vpc_subnet_a_id, vpc_subnet_b_id, vpc_subnet_c_id"
2024-09-04T09:21:01Z INFO Number of language-specific files num=0
2024-09-04T09:21:01Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in terraform/environments/oas
2024-09-04T09:21:02Z INFO [vuln] Vulnerability scanning is enabled
2024-09-04T09:21:02Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-04T09:21:02Z INFO [secret] Secret scanning is enabled
2024-09-04T09:21:02Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-04T09:21:02Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-04T09:21:02Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-04T09:21:02Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-04T09:21:03Z INFO [terraform scanner] Scanning root module file_path="modules/rotate_secrets_lambda"
2024-09-04T09:21:03Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_number, database_name, database_user, lambda_runtime, lambda_timeout, log_group_retention_days, region, tags"
2024-09-04T09:21:03Z INFO Number of language-specific files num=0
2024-09-04T09:21:03Z INFO Detected config files num=7

ec2.tf (terraform)

Tests: 32 (SUCCESSES: 28, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:16-53
────────────────────────────────────────
16 ┌ resource "aws_instance" "oas_app_instance" {
17 │ ami = local.application_data.accounts[local.environment].ec2amiid
18 │ # associate_public_ip_address = false
19 │ availability_zone = "eu-west-2a"
20 │ ebs_optimized = true
21 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
22 │ # vpc_security_group_ids = [aws_security_group.ec2.id]
23 │ monitoring = true
24 └ # subnet_id = data.aws_subnet.private_subnets_a.id
..
────────────────────────────────────────

modules/cloudwatch/cloudwatch.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
modules/cloudwatch/cloudwatch.tf:38-40
via cloudwatch.tf:94-100 (module.cwalarm)
────────────────────────────────────────
38 ┌ resource "aws_sns_topic" "alerting_topic" {
39 │ name = var.snsTopicName
40 └ }
────────────────────────────────────────

modules/rotate_secrets_lambda/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.

Without this, any resource from principal will be granted permission – even if that resource is from another account.

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
modules/rotate_secrets_lambda/main.tf:117-121
────────────────────────────────────────
117 ┌ resource "aws_lambda_permission" "allow_secret_manager" {
118 │ action = "lambda:InvokeFunction"
119 │ function_name = aws_lambda_function.rotate_secrets.function_name
120 │ principal = "secretsmanager.amazonaws.com"
121 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/oas/modules/rds
terraform/environments/oas

*****************************

Running Checkov in terraform/environments/oas/modules/rds
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 20, Failed checks: 10, Skipped checks: 0

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_password_secret
	File: /rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.appdb1
	File: /rds.tf:98-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.appdb1
	File: /rds.tf:98-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.appdb1
	File: /rds.tf:98-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.appdb1
	File: /rds.tf:98-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.appdb2
	File: /rds.tf:143-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.appdb2
	File: /rds.tf:143-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.appdb2
	File: /rds.tf:143-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.appdb2
	File: /rds.tf:143-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_password_secret
	File: /rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/oas
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-04 09:21:08,579 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 87, Failed checks: 38, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.default_oas
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "default_oas" {
		2 |   name = "${local.application_name}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch.tf:102-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "pagerduty_core_alerts" {
		103 |   depends_on = [
		104 |     module.cwalarm
		105 |   ]
		106 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		107 |   sns_topics                = [local.sns_topic_name]
		108 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		109 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oas_app_instance
	File: /ec2.tf:16-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		16 | resource "aws_instance" "oas_app_instance" {
		17 |   ami = local.application_data.accounts[local.environment].ec2amiid
		18 |   # associate_public_ip_address = false
		19 |   availability_zone = "eu-west-2a"
		20 |   ebs_optimized     = true
		21 |   instance_type     = local.application_data.accounts[local.environment].ec2instancetype
		22 |   # vpc_security_group_ids      = [aws_security_group.ec2.id]
		23 |   monitoring = true
		24 |   # subnet_id                   = data.aws_subnet.private_subnets_a.id
		25 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		26 |   user_data_replace_on_change = true
		27 |   user_data                   = base64encode(data.local_file.userdata.content)
		28 | 
		29 | 
		30 | 
		31 |   network_interface {
		32 |     network_interface_id = aws_network_interface.oas_eni.id
		33 |     device_index         = 0
		34 |   }
		35 | 
		36 |   root_block_device {
		37 |     delete_on_termination = false
		38 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		39 |     volume_size           = 40
		40 |     volume_type           = "gp2"
		41 |     tags = merge(
		42 |       local.tags,
		43 |       { "Name" = "${local.application_name}-root-volume" },
		44 |     )
		45 |   }
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "${local.application_name} Apps Server" },
		50 |     { "instance-scheduling" = "skip-scheduling" },
		51 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		52 |   )
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:255-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		255 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		256 |   #tfsec:ignore:aws-iam-no-policy-wildcards
		257 |   name = "${local.application_name}-ec2-policy"
		258 |   role = aws_iam_role.ec2_instance_role.id
		259 | 
		260 |   # Terraform's "jsonencode" function converts a
		261 |   # Terraform expression result to valid JSON syntax.
		262 |   policy = jsonencode({
		263 |     Version = "2012-10-17"
		264 |     Statement = [
		265 |       {
		266 |         Action = [
		267 |           "ec2:Describe*",
		268 |         ]
		269 |         Effect   = "Allow"
		270 |         Resource = "*"
		271 |       },
		272 |       {
		273 |         Effect = "Allow",
		274 |         Action = [
		275 |           "s3:ListBucket",
		276 |         ],
		277 |         Resource = [
		278 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001",
		279 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		280 |         ]
		281 |       },
		282 |       {
		283 |         Effect = "Allow",
		284 |         Action = [
		285 |           "s3:GetObject",
		286 |           "s3:PutObject",
		287 |           "s3:PutObjectAcl",
		288 |         ],
		289 |         Resource = [
		290 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		291 |         ]
		292 |       }
		293 |     ]
		294 |   })
		295 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.cwalarm.aws_sns_topic.alerting_topic
	File: /modules/cloudwatch/cloudwatch.tf:38-40
	Calling File: /cloudwatch.tf:94-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		38 | resource "aws_sns_topic" "alerting_topic" {
		39 |   name = var.snsTopicName
		40 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.allow_secret_manager
	File: /modules/rotate_secrets_lambda/main.tf:117-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		117 | resource "aws_lambda_permission" "allow_secret_manager" {
		118 |   action        = "lambda:InvokeFunction"
		119 |   function_name = aws_lambda_function.rotate_secrets.function_name
		120 |   principal     = "secretsmanager.amazonaws.com"
		121 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rotate_secrets_lambda
	File: /modules/rotate_secrets_lambda/main.tf:123-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		123 | resource "aws_cloudwatch_log_group" "rotate_secrets_lambda" {
		124 |   name              = aws_lambda_function.rotate_secrets.function_name
		125 |   retention_in_days = var.log_group_retention_days
		126 |   lifecycle {
		127 |     prevent_destroy = true
		128 |   }
		129 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeORAHOME
	File: /ec2.tf:297-313
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		297 | resource "aws_ebs_volume" "EC2ServerVolumeORAHOME" {
		298 |   availability_zone = "eu-west-2a"
		299 |   size              = local.application_data.accounts[local.environment].orahomesize
		300 |   type              = "gp3"
		301 |   encrypted         = true
		302 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		303 |   snapshot_id       = local.application_data.accounts[local.environment].orahome_snapshot
		304 | 
		305 |   lifecycle {
		306 |     ignore_changes = [kms_key_id]
		307 |   }
		308 | 
		309 |   tags = merge(
		310 |     local.tags,
		311 |     { "Name" = "${local.application_name}-EC2ServerVolumeORAHOME" },
		312 |   )
		313 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeSTAGE
	File: /ec2.tf:321-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		321 | resource "aws_ebs_volume" "EC2ServerVolumeSTAGE" {
		322 |   availability_zone = "eu-west-2a"
		323 |   size              = local.application_data.accounts[local.environment].stageesize
		324 |   type              = "gp3"
		325 |   encrypted         = true
		326 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		327 |   snapshot_id       = local.application_data.accounts[local.environment].stage_snapshot
		328 | 
		329 |   lifecycle {
		330 |     ignore_changes = [kms_key_id]
		331 |   }
		332 | 
		333 |   tags = merge(
		334 |     local.tags,
		335 |     { "Name" = "${local.application_name}-EC2ServerVolumeSTAGE" },
		336 |   )
		337 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/oas/modules/rds
terraform/environments/oas

*****************************

Running tflint in terraform/environments/oas/modules/rds
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/modules/rds/rds.tf line 70:
  70: resource "random_password" "rds_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/modules/rds/rds.tf line 223:
 223: resource "aws_security_group" "vpc-secgroup" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/oas
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/ec2.tf line 1:
   1: data "local_file" "userdata" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/weblogic.tf line 1:
   1: resource "random_password" "weblogic" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=4

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/oas/modules/rds
terraform/environments/oas

*****************************

Running Trivy in terraform/environments/oas/modules/rds
2024-09-04T09:20:58Z	INFO	[db] Need to update DB
2024-09-04T09:20:58Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-04T09:21:00Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-04T09:21:00Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-04T09:21:00Z	INFO	Need to update the built-in policies
2024-09-04T09:21:00Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-04T09:21:01Z	INFO	[secret] Secret scanning is enabled
2024-09-04T09:21:01Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-04T09:21:01Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-04T09:21:01Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-04T09:21:01Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="allocated_storage, allow_major_version_upgrade, application_name, auto_minor_version_upgrade, availability_zone, backup_retention_period, backup_window, character_set_name, db_password_rotation_period, deletion_protection, engine, engine_version, environment, identifier_name, instance_class, license_model, lz_vpc_cidr, maintenance_window, managementcidr, multi_az, rds_kms_key_arn, rds_snapshot_arn, region, storage_type, tags, username, vpc_shared_cidr, vpc_shared_id, vpc_subnet_a_id, vpc_subnet_b_id, vpc_subnet_c_id"
2024-09-04T09:21:01Z	INFO	Number of language-specific files	num=0
2024-09-04T09:21:01Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/oas
2024-09-04T09:21:02Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-04T09:21:02Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-04T09:21:02Z	INFO	[secret] Secret scanning is enabled
2024-09-04T09:21:02Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-04T09:21:02Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-04T09:21:02Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-04T09:21:02Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-04T09:21:03Z	INFO	[terraform scanner] Scanning root module	file_path="modules/rotate_secrets_lambda"
2024-09-04T09:21:03Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_number, database_name, database_user, lambda_runtime, lambda_timeout, log_group_retention_days, region, tags"
2024-09-04T09:21:03Z	INFO	Number of language-specific files	num=0
2024-09-04T09:21:03Z	INFO	Detected config files	num=7

ec2.tf (terraform)
==================
Tests: 32 (SUCCESSES: 28, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:16-53
────────────────────────────────────────
  16resource "aws_instance" "oas_app_instance" {
  17ami = local.application_data.accounts[local.environment].ec2amiid
  18# associate_public_ip_address = false
  19availability_zone = "eu-west-2a"
  20ebs_optimized     = true
  21instance_type     = local.application_data.accounts[local.environment].ec2instancetype
  22# vpc_security_group_ids      = [aws_security_group.ec2.id]
  23monitoring = true
  24# subnet_id                   = data.aws_subnet.private_subnets_a.id
  ..   
────────────────────────────────────────



modules/cloudwatch/cloudwatch.tf (terraform)
============================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 modules/cloudwatch/cloudwatch.tf:38-40
   via cloudwatch.tf:94-100 (module.cwalarm)
────────────────────────────────────────
  38resource "aws_sns_topic" "alerting_topic" {
  39name = var.snsTopicName
  40 └ }
────────────────────────────────────────



modules/rotate_secrets_lambda/main.tf (terraform)
=================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. 

Without this, any resource from principal will be granted permission – even if that resource is from another account. 

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 modules/rotate_secrets_lambda/main.tf:117-121
────────────────────────────────────────
 117resource "aws_lambda_permission" "allow_secret_manager" {
 118action        = "lambda:InvokeFunction"
 119function_name = aws_lambda_function.rotate_secrets.function_name
 120principal     = "secretsmanager.amazonaws.com"
 121 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/oas/modules/rds
terraform/environments/oas

Running Trivy in terraform/environments/oas/modules/rds
2024-09-20T10:25:19Z INFO [db] Need to update DB
2024-09-20T10:25:19Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-20T10:25:21Z INFO [vuln] Vulnerability scanning is enabled
2024-09-20T10:25:21Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-20T10:25:21Z INFO Need to update the built-in policies
2024-09-20T10:25:21Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-20T10:25:21Z INFO [secret] Secret scanning is enabled
2024-09-20T10:25:21Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-20T10:25:21Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-20T10:25:22Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-20T10:25:22Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="allocated_storage, allow_major_version_upgrade, application_name, auto_minor_version_upgrade, availability_zone, backup_retention_period, backup_window, character_set_name, db_password_rotation_period, deletion_protection, engine, engine_version, environment, identifier_name, instance_class, license_model, lz_vpc_cidr, maintenance_window, managementcidr, multi_az, rds_kms_key_arn, rds_snapshot_arn, region, storage_type, tags, username, vpc_shared_cidr, vpc_shared_id, vpc_subnet_a_id, vpc_subnet_b_id, vpc_subnet_c_id"
2024-09-20T10:25:22Z INFO Number of language-specific files num=0
2024-09-20T10:25:22Z INFO Detected config files num=2
trivy_exitcode=0

Running Trivy in terraform/environments/oas
2024-09-20T10:25:22Z INFO [vuln] Vulnerability scanning is enabled
2024-09-20T10:25:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-20T10:25:22Z INFO [secret] Secret scanning is enabled
2024-09-20T10:25:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-20T10:25:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-20T10:25:23Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-20T10:25:23Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-20T10:25:24Z INFO [terraform scanner] Scanning root module file_path="modules/rotate_secrets_lambda"
2024-09-20T10:25:24Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_number, database_name, database_user, lambda_runtime, lambda_timeout, log_group_retention_days, region, tags"
2024-09-20T10:25:24Z INFO Number of language-specific files num=0
2024-09-20T10:25:24Z INFO Detected config files num=7

ec2.tf (terraform)

Tests: 32 (SUCCESSES: 28, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default aws_instance resource sets IMDS session auth tokens to be optional.
To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2.tf:16-53
────────────────────────────────────────
16 ┌ resource "aws_instance" "oas_app_instance" {
17 │ ami = local.application_data.accounts[local.environment].ec2amiid
18 │ # associate_public_ip_address = false
19 │ availability_zone = "eu-west-2a"
20 │ ebs_optimized = true
21 │ instance_type = local.application_data.accounts[local.environment].ec2instancetype
22 │ # vpc_security_group_ids = [aws_security_group.ec2.id]
23 │ monitoring = true
24 └ # subnet_id = data.aws_subnet.private_subnets_a.id
..
────────────────────────────────────────

modules/cloudwatch/cloudwatch.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
modules/cloudwatch/cloudwatch.tf:38-40
via cloudwatch.tf:94-100 (module.cwalarm)
────────────────────────────────────────
38 ┌ resource "aws_sns_topic" "alerting_topic" {
39 │ name = var.snsTopicName
40 └ }
────────────────────────────────────────

modules/rotate_secrets_lambda/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.

Without this, any resource from principal will be granted permission – even if that resource is from another account.

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
modules/rotate_secrets_lambda/main.tf:117-121
────────────────────────────────────────
117 ┌ resource "aws_lambda_permission" "allow_secret_manager" {
118 │ action = "lambda:InvokeFunction"
119 │ function_name = aws_lambda_function.rotate_secrets.function_name
120 │ principal = "secretsmanager.amazonaws.com"
121 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/oas/modules/rds
terraform/environments/oas

*****************************

Running Checkov in terraform/environments/oas/modules/rds
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 20, Failed checks: 10, Skipped checks: 0

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_password_secret
	File: /rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.appdb1
	File: /rds.tf:98-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.appdb1
	File: /rds.tf:98-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.appdb1
	File: /rds.tf:98-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.appdb1
	File: /rds.tf:98-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.appdb2
	File: /rds.tf:143-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.appdb2
	File: /rds.tf:143-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.appdb2
	File: /rds.tf:143-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.appdb2
	File: /rds.tf:143-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_password_secret
	File: /rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/oas
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-20 10:25:30,806 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 87, Failed checks: 38, Skipped checks: 0

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.default_oas
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "default_oas" {
		2 |   name = "${local.application_name}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /cloudwatch.tf:102-109
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		102 | module "pagerduty_core_alerts" {
		103 |   depends_on = [
		104 |     module.cwalarm
		105 |   ]
		106 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		107 |   sns_topics                = [local.sns_topic_name]
		108 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		109 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.oas_app_instance
	File: /ec2.tf:16-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		16 | resource "aws_instance" "oas_app_instance" {
		17 |   ami = local.application_data.accounts[local.environment].ec2amiid
		18 |   # associate_public_ip_address = false
		19 |   availability_zone = "eu-west-2a"
		20 |   ebs_optimized     = true
		21 |   instance_type     = local.application_data.accounts[local.environment].ec2instancetype
		22 |   # vpc_security_group_ids      = [aws_security_group.ec2.id]
		23 |   monitoring = true
		24 |   # subnet_id                   = data.aws_subnet.private_subnets_a.id
		25 |   iam_instance_profile        = aws_iam_instance_profile.ec2_instance_profile.id
		26 |   user_data_replace_on_change = true
		27 |   user_data                   = base64encode(data.local_file.userdata.content)
		28 | 
		29 | 
		30 | 
		31 |   network_interface {
		32 |     network_interface_id = aws_network_interface.oas_eni.id
		33 |     device_index         = 0
		34 |   }
		35 | 
		36 |   root_block_device {
		37 |     delete_on_termination = false
		38 |     encrypted             = true # TODO Confirm if encrypted volumes can work for OAS, as it looks like in MP they must be encrypted
		39 |     volume_size           = 40
		40 |     volume_type           = "gp2"
		41 |     tags = merge(
		42 |       local.tags,
		43 |       { "Name" = "${local.application_name}-root-volume" },
		44 |     )
		45 |   }
		46 | 
		47 |   tags = merge(
		48 |     local.tags,
		49 |     { "Name" = "${local.application_name} Apps Server" },
		50 |     { "instance-scheduling" = "skip-scheduling" },
		51 |     { "snapshot-with-daily-7-day-retention" = "yes" }
		52 |   )
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.ec2_instance_policy
	File: /ec2.tf:255-295
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		255 | resource "aws_iam_role_policy" "ec2_instance_policy" {
		256 |   #tfsec:ignore:aws-iam-no-policy-wildcards
		257 |   name = "${local.application_name}-ec2-policy"
		258 |   role = aws_iam_role.ec2_instance_role.id
		259 | 
		260 |   # Terraform's "jsonencode" function converts a
		261 |   # Terraform expression result to valid JSON syntax.
		262 |   policy = jsonencode({
		263 |     Version = "2012-10-17"
		264 |     Statement = [
		265 |       {
		266 |         Action = [
		267 |           "ec2:Describe*",
		268 |         ]
		269 |         Effect   = "Allow"
		270 |         Resource = "*"
		271 |       },
		272 |       {
		273 |         Effect = "Allow",
		274 |         Action = [
		275 |           "s3:ListBucket",
		276 |         ],
		277 |         Resource = [
		278 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001",
		279 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		280 |         ]
		281 |       },
		282 |       {
		283 |         Effect = "Allow",
		284 |         Action = [
		285 |           "s3:GetObject",
		286 |           "s3:PutObject",
		287 |           "s3:PutObjectAcl",
		288 |         ],
		289 |         Resource = [
		290 |           "arn:aws:s3:::modernisation-platform-software20230224000709766100000001/*",
		291 |         ]
		292 |       }
		293 |     ]
		294 |   })
		295 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: module.cwalarm.aws_sns_topic.alerting_topic
	File: /modules/cloudwatch/cloudwatch.tf:38-40
	Calling File: /cloudwatch.tf:94-100
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		38 | resource "aws_sns_topic" "alerting_topic" {
		39 |   name = var.snsTopicName
		40 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb1
	File: /modules/rds/rds.tf:98-139
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		98  | resource "aws_db_instance" "appdb1" {
		99  |   allocated_storage           = var.allocated_storage
		100 |   db_name                     = upper(var.application_name)
		101 |   identifier                  = "${var.identifier_name}-with-snapshot"
		102 |   engine                      = var.engine
		103 |   engine_version              = var.engine_version
		104 |   instance_class              = var.instance_class
		105 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		106 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		107 |   storage_type                = var.storage_type
		108 |   backup_retention_period     = var.backup_retention_period
		109 |   backup_window               = var.backup_window
		110 |   maintenance_window          = var.maintenance_window
		111 |   character_set_name          = var.character_set_name
		112 |   availability_zone           = var.availability_zone
		113 |   multi_az                    = var.multi_az
		114 |   username                    = var.username
		115 |   password                    = random_password.rds_password.result
		116 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		117 |   skip_final_snapshot         = false
		118 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		119 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		120 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		121 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		122 |   license_model               = var.license_model
		123 |   deletion_protection         = var.deletion_protection
		124 |   copy_tags_to_snapshot       = true
		125 |   storage_encrypted           = true
		126 |   apply_immediately           = true
		127 |   snapshot_identifier         = var.rds_snapshot_arn
		128 |   kms_key_id                  = var.rds_kms_key_arn
		129 |   tags = merge(
		130 |     var.tags,
		131 |     { "Name" = "${var.application_name}-${var.environment}-database-with-snapshot" },
		132 |     { "instance-scheduling" = "skip-scheduling" }
		133 |   )
		134 | 
		135 |   timeouts {
		136 |     create = "60m"
		137 |     delete = "2h"
		138 |   }
		139 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_133: "Ensure that RDS instances has backup policy"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-rds-instances-have-backup-policy

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.rds.aws_db_instance.appdb2
	File: /modules/rds/rds.tf:143-183
	Calling File: /rds.tf:4-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		143 | resource "aws_db_instance" "appdb2" {
		144 |   allocated_storage           = var.allocated_storage
		145 |   db_name                     = upper(var.application_name)
		146 |   identifier                  = var.identifier_name
		147 |   engine                      = var.engine
		148 |   engine_version              = var.engine_version
		149 |   instance_class              = var.instance_class
		150 |   allow_major_version_upgrade = var.allow_major_version_upgrade
		151 |   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
		152 |   storage_type                = var.storage_type
		153 |   backup_retention_period     = var.backup_retention_period
		154 |   backup_window               = var.backup_window
		155 |   maintenance_window          = var.maintenance_window
		156 |   character_set_name          = var.character_set_name
		157 |   availability_zone           = var.availability_zone
		158 |   multi_az                    = var.multi_az
		159 |   username                    = var.username
		160 |   password                    = random_password.rds_password.result
		161 |   vpc_security_group_ids      = [aws_security_group.laalz-secgroup.id, aws_security_group.vpc-secgroup.id]
		162 |   skip_final_snapshot         = false
		163 |   final_snapshot_identifier   = "${var.application_name}-${formatdate("DDMMMYYYYhhmm", timestamp())}-finalsnapshot"
		164 |   parameter_group_name        = aws_db_parameter_group.appdbparametergroup19.name
		165 |   option_group_name           = aws_db_option_group.appdboptiongroup19.name
		166 |   db_subnet_group_name        = aws_db_subnet_group.appdbsubnetgroup.name
		167 |   license_model               = var.license_model
		168 |   deletion_protection         = var.deletion_protection
		169 |   copy_tags_to_snapshot       = true
		170 |   storage_encrypted           = true
		171 |   apply_immediately           = true
		172 |   kms_key_id                  = var.rds_kms_key_arn
		173 |   tags = merge(
		174 |     var.tags,
		175 |     { "Name" = "${var.application_name}-${var.environment}-database-without-snapshot" },
		176 |     { "instance-scheduling" = "skip-scheduling" }
		177 |   )
		178 | 
		179 |   timeouts {
		180 |     create = "60m"
		181 |     delete = "2h"
		182 |   }
		183 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.rotate_secrets
	File: /modules/rotate_secrets_lambda/main.tf:5-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		5  | resource "aws_lambda_function" "rotate_secrets" {
		6  |   filename      = "${path.module}/secret_rotation.zip"
		7  |   function_name = local.function_name
		8  |   description   = "Secrets Manager password rotation"
		9  |   role          = aws_iam_role.lambda.arn
		10 |   handler       = "secret_rotation.lambda_handler"
		11 |   timeout       = var.lambda_timeout
		12 |   runtime       = var.lambda_runtime
		13 | 
		14 |   environment {
		15 |     variables = {
		16 |       databaseName             = var.database_name
		17 |       databaseUser             = var.database_user
		18 |       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.eu-west-2.amazonaws.com"
		19 |       # EXCLUDE_CHARACTERS = "!@£$%^&*()_+-={}[]" # Characters to exclude for rotated secrets, currently not working so updated the secret_rotation.py with ExcludePunctuation=True instead
		20 |     }
		21 |   }
		22 | 
		23 |   tags = merge(
		24 |     var.tags,
		25 |     { "Name" = "SecretsRotation" },
		26 |   )
		27 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy.lambda
	File: /modules/rotate_secrets_lambda/main.tf:57-110
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
	FAILED for resource: aws_lambda_permission.allow_secret_manager
	File: /modules/rotate_secrets_lambda/main.tf:117-121
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364

		117 | resource "aws_lambda_permission" "allow_secret_manager" {
		118 |   action        = "lambda:InvokeFunction"
		119 |   function_name = aws_lambda_function.rotate_secrets.function_name
		120 |   principal     = "secretsmanager.amazonaws.com"
		121 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.rotate_secrets_lambda
	File: /modules/rotate_secrets_lambda/main.tf:123-129
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		123 | resource "aws_cloudwatch_log_group" "rotate_secrets_lambda" {
		124 |   name              = aws_lambda_function.rotate_secrets.function_name
		125 |   retention_in_days = var.log_group_retention_days
		126 |   lifecycle {
		127 |     prevent_destroy = true
		128 |   }
		129 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeORAHOME
	File: /ec2.tf:297-313
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		297 | resource "aws_ebs_volume" "EC2ServerVolumeORAHOME" {
		298 |   availability_zone = "eu-west-2a"
		299 |   size              = local.application_data.accounts[local.environment].orahomesize
		300 |   type              = "gp3"
		301 |   encrypted         = true
		302 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		303 |   snapshot_id       = local.application_data.accounts[local.environment].orahome_snapshot
		304 | 
		305 |   lifecycle {
		306 |     ignore_changes = [kms_key_id]
		307 |   }
		308 | 
		309 |   tags = merge(
		310 |     local.tags,
		311 |     { "Name" = "${local.application_name}-EC2ServerVolumeORAHOME" },
		312 |   )
		313 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.EC2ServerVolumeSTAGE
	File: /ec2.tf:321-337
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		321 | resource "aws_ebs_volume" "EC2ServerVolumeSTAGE" {
		322 |   availability_zone = "eu-west-2a"
		323 |   size              = local.application_data.accounts[local.environment].stageesize
		324 |   type              = "gp3"
		325 |   encrypted         = true
		326 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		327 |   snapshot_id       = local.application_data.accounts[local.environment].stage_snapshot
		328 | 
		329 |   lifecycle {
		330 |     ignore_changes = [kms_key_id]
		331 |   }
		332 | 
		333 |   tags = merge(
		334 |     local.tags,
		335 |     { "Name" = "${local.application_name}-EC2ServerVolumeSTAGE" },
		336 |   )
		337 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.rds.aws_secretsmanager_secret.rds_password_secret
	File: /modules/rds/rds.tf:76-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		76 | resource "aws_secretsmanager_secret" "rds_password_secret" {
		77 |   name        = "${var.application_name}/app/db-master-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		78 |   description = "This secret has a dynamically generated password."
		79 |   tags = merge(
		80 |     var.tags,
		81 |     { "Name" = "${var.application_name}/app/db-master-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		82 |   )
		83 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.weblogic
	File: /weblogic.tf:7-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "weblogic" {
		8  |   name        = "${local.application_name}/app/weblogic-admin-password-tmp2" # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		9  |   description = "This secret has a dynamically generated password. This is OAS administrator (weblogic) password, where developers very frequently use as part of accessing OAS and other admin activities."
		10 |   tags = merge(
		11 |     local.tags,
		12 |     { "Name" = "${local.application_name}/app/weblogic-admin-password-tmp2" }, # TODO This name needs changing back to without -tmp2 to be compatible with hardcoded OAS installation
		13 |   )
		14 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/oas/modules/rds
terraform/environments/oas

*****************************

Running tflint in terraform/environments/oas/modules/rds
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/modules/rds/rds.tf line 70:
  70: resource "random_password" "rds_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/modules/rds/rds.tf line 223:
 223: resource "aws_security_group" "vpc-secgroup" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on terraform/environments/oas/modules/rds/terraform.tf line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/oas
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/ec2.tf line 1:
   1: data "local_file" "userdata" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/oas/weblogic.tf line 1:
   1: resource "random_password" "weblogic" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=4

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/oas/modules/rds
terraform/environments/oas

*****************************

Running Trivy in terraform/environments/oas/modules/rds
2024-09-20T10:25:19Z	INFO	[db] Need to update DB
2024-09-20T10:25:19Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-20T10:25:21Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-20T10:25:21Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-20T10:25:21Z	INFO	Need to update the built-in policies
2024-09-20T10:25:21Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-20T10:25:21Z	INFO	[secret] Secret scanning is enabled
2024-09-20T10:25:21Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-20T10:25:21Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-20T10:25:22Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-20T10:25:22Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="allocated_storage, allow_major_version_upgrade, application_name, auto_minor_version_upgrade, availability_zone, backup_retention_period, backup_window, character_set_name, db_password_rotation_period, deletion_protection, engine, engine_version, environment, identifier_name, instance_class, license_model, lz_vpc_cidr, maintenance_window, managementcidr, multi_az, rds_kms_key_arn, rds_snapshot_arn, region, storage_type, tags, username, vpc_shared_cidr, vpc_shared_id, vpc_subnet_a_id, vpc_subnet_b_id, vpc_subnet_c_id"
2024-09-20T10:25:22Z	INFO	Number of language-specific files	num=0
2024-09-20T10:25:22Z	INFO	Detected config files	num=2
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/oas
2024-09-20T10:25:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-20T10:25:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-20T10:25:22Z	INFO	[secret] Secret scanning is enabled
2024-09-20T10:25:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-20T10:25:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-20T10:25:23Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-20T10:25:23Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-20T10:25:24Z	INFO	[terraform scanner] Scanning root module	file_path="modules/rotate_secrets_lambda"
2024-09-20T10:25:24Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_number, database_name, database_user, lambda_runtime, lambda_timeout, log_group_retention_days, region, tags"
2024-09-20T10:25:24Z	INFO	Number of language-specific files	num=0
2024-09-20T10:25:24Z	INFO	Detected config files	num=7

ec2.tf (terraform)
==================
Tests: 32 (SUCCESSES: 28, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Instance does not require IMDS access to require a token
════════════════════════════════════════

IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2.tf:16-53
────────────────────────────────────────
  16resource "aws_instance" "oas_app_instance" {
  17ami = local.application_data.accounts[local.environment].ec2amiid
  18# associate_public_ip_address = false
  19availability_zone = "eu-west-2a"
  20ebs_optimized     = true
  21instance_type     = local.application_data.accounts[local.environment].ec2instancetype
  22# vpc_security_group_ids      = [aws_security_group.ec2.id]
  23monitoring = true
  24# subnet_id                   = data.aws_subnet.private_subnets_a.id
  ..   
────────────────────────────────────────



modules/cloudwatch/cloudwatch.tf (terraform)
============================================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 modules/cloudwatch/cloudwatch.tf:38-40
   via cloudwatch.tf:94-100 (module.cwalarm)
────────────────────────────────────────
  38resource "aws_sns_topic" "alerting_topic" {
  39name = var.snsTopicName
  40 └ }
────────────────────────────────────────



modules/rotate_secrets_lambda/main.tf (terraform)
=================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Lambda permission lacks source ARN for *.amazonaws.com principal.
════════════════════════════════════════
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. 

Without this, any resource from principal will be granted permission – even if that resource is from another account. 

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

See https://avd.aquasec.com/misconfig/avd-aws-0067
────────────────────────────────────────
 modules/rotate_secrets_lambda/main.tf:117-121
────────────────────────────────────────
 117resource "aws_lambda_permission" "allow_secret_manager" {
 118action        = "lambda:InvokeFunction"
 119function_name = aws_lambda_function.rotate_secrets.function_name
 120principal     = "secretsmanager.amazonaws.com"
 121 └ }
────────────────────────────────────────


trivy_exitcode=1

@vladimir-kovalyov vladimir-kovalyov merged commit 0ace172 into main Sep 20, 2024
10 of 16 checks passed
@vladimir-kovalyov vladimir-kovalyov deleted the TM-452 branch September 20, 2024 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vc13837 vc13837 vc13837 approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vladimir-kovalyov @vc13837