Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Manage tipstaff-production shield response team access through code #7766

Merged
merged 2 commits into from
Sep 13, 2024

Conversation

dms1981
Copy link
Contributor

@dms1981 dms1981 commented Sep 13, 2024

Tracked via #7185.

This PR does the following:

  • Manages Shield Response Team access through code
  • Sets the GitHub provider to prevent implicit use of the latest version (due to this bug).

From a code review, other steps such as associating resources with a WAFv2 ACL and alerting are already in place.

@dms1981 dms1981 requested review from a team as code owners September 13, 2024 13:58
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 13, 2024
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/tipstaff


Running Trivy in terraform/environments/tipstaff
2024-09-13T14:00:07Z INFO [db] Need to update DB
2024-09-13T14:00:07Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-13T14:00:10Z INFO [vuln] Vulnerability scanning is enabled
2024-09-13T14:00:10Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-13T14:00:10Z INFO Need to update the built-in policies
2024-09-13T14:00:10Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-13T14:00:10Z INFO [secret] Secret scanning is enabled
2024-09-13T14:00:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-13T14:00:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-13T14:00:16Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-13T14:00:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-13T14:00:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-13T14:00:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-13T14:00:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-13T14:00:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-13T14:00:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-13T14:00:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-13T14:00:17Z INFO Number of language-specific files num=0
2024-09-13T14:00:17Z INFO Detected config files num=7

ecs.tf (terraform)

Tests: 13 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 6)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
ecs.tf:355-358
────────────────────────────────────────
355 ┌ resource "aws_ecr_repository" "tipstaff_ecr_repo" {
356 │ name = "tipstaff-ecr-repo"
357 │ force_delete = true
358 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:454-457
────────────────────────────────────────
454 ┌ resource "aws_sns_topic" "ddos_alarm" {
455 │ count = local.is-development ? 0 : 1
456 │ name = "tipstaff_ddos_alarm"
457 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:459-462
────────────────────────────────────────
459 ┌ resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
460 │ count = local.is-development ? 0 : 1
461 │ name = "tipstaff_utilisation_alarm"
462 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:351
via ecs.tf:347-352 (egress)
via ecs.tf:335-353 (aws_security_group.ecs_service)
────────────────────────────────────────
335 resource "aws_security_group" "ecs_service" {
...
351 [ cidr_blocks = ["0.0.0.0/0"]
...
353 }
────────────────────────────────────────

load_balancer.tf (terraform)

Tests: 13 (SUCCESSES: 7, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
load_balancer.tf:260-268
────────────────────────────────────────
260 ┌ resource "aws_lb" "tipstaff_lb" {
261 │ name = "tipstaff-load-balancer"
262 │ load_balancer_type = "application"
263 │ security_groups = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
264 │ subnets = data.aws_subnets.shared-public.ids
265 │ enable_deletion_protection = false
266 │ internal = false
267 │ depends_on = [aws_security_group.tipstaff_lb_sc]
268 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
load_balancer.tf:266
via load_balancer.tf:260-268 (aws_lb.tipstaff_lb)
────────────────────────────────────────
260 resource "aws_lb" "tipstaff_lb" {
261 name = "tipstaff-load-balancer"
262 load_balancer_type = "application"
263 security_groups = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
264 subnets = data.aws_subnets.shared-public.ids
265 enable_deletion_protection = false
266 [ internal = false
267 depends_on = [aws_security_group.tipstaff_lb_sc]
268 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:110
via load_balancer.tf:105-111 (egress)
via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
110 [ cidr_blocks = ["0.0.0.0/0"]
...
112 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:102
via load_balancer.tf:97-103 (egress)
via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
102 [ cidr_blocks = ["0.0.0.0/0"]
...
112 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:64-78
via load_balancer.tf:60-79 (ingress)
via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
64 ┌ cidr_blocks = [
65 │ "20.26.11.71/32",
66 │ "20.26.11.108/32",
67 │ "20.49.214.199/32",
68 │ "20.49.214.228/32",
69 │ "51.149.249.0/29",
70 └ "51.149.249.32/29",
..
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:27-56
via load_balancer.tf:23-57 (ingress)
via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
27 ┌ cidr_blocks = [
28 │ "178.248.34.44/32",
29 │ "194.33.192.0/25",
30 │ "195.59.75.0/24",
31 │ "178.248.34.45/32",
32 │ "201.33.21.5/32",
33 └ "178.248.34.46/32",
..
────────────────────────────────────────

rds.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
rds.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_db_instance" "tipstaff_db" {
2 │ count = local.is-development ? 0 : 1
3 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
4 │ db_name = local.application_data.accounts[local.environment].db_name
5 │ storage_type = local.application_data.accounts[local.environment].storage_type
6 │ engine = local.application_data.accounts[local.environment].engine
7 │ identifier = local.application_data.accounts[local.environment].identifier
8 │ engine_version = local.application_data.accounts[local.environment].engine_version
9 └ instance_class = local.application_data.accounts[local.environment].instance_class
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
rds.tf:59
via rds.tf:54-60 (egress)
via rds.tf:26-61 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
26 resource "aws_security_group" "postgresql_db_sc" {
..
59 [ cidr_blocks = ["0.0.0.0/0"]
..
61 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/tipstaff

*****************************

Running Checkov in terraform/environments/tipstaff
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-13 14:00:19,775 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-09-13 14:00:19,775 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 95, Failed checks: 53, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # public keys
		12 |   public_key_data = local.public_key_data.keys[local.environment]
		13 |   # logs
		14 |   log_auto_clean       = "Enabled"
		15 |   log_standard_ia_days = 30  # days before moving to IA storage
		16 |   log_glacier_days     = 60  # days before moving to Glacier
		17 |   log_expiry_days      = 180 # days before log expiration
		18 |   # bastion
		19 |   allow_ssh_commands = false
		20 |   app_name           = var.networking[0].application
		21 |   business_unit      = local.vpc_name
		22 |   subnet_set         = local.subnet_set
		23 |   environment        = local.environment
		24 |   region             = "eu-west-2"
		25 | 
		26 |   # Tags
		27 |   tags_common = local.tags
		28 |   tags_prefix = terraform.workspace
		29 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "tipstaff-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:335-353
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		335 | resource "aws_security_group" "ecs_service" {
		336 |   name_prefix = "ecs-service-sg-"
		337 |   vpc_id      = data.aws_vpc.shared.id
		338 | 
		339 |   ingress {
		340 |     from_port       = 80
		341 |     to_port         = 80
		342 |     protocol        = "tcp"
		343 |     description     = "Allow traffic on port 80 from load balancer"
		344 |     security_groups = [aws_security_group.tipstaff_lb_sc.id]
		345 |   }
		346 | 
		347 |   egress {
		348 |     from_port   = 0
		349 |     to_port     = 0
		350 |     protocol    = "-1"
		351 |     cidr_blocks = ["0.0.0.0/0"]
		352 |   }
		353 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:454-457
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		454 | resource "aws_sns_topic" "ddos_alarm" {
		455 |   count = local.is-development ? 0 : 1
		456 |   name  = "tipstaff_ddos_alarm"
		457 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.tipstaff_utilisation_alarm
	File: /ecs.tf:459-462
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		459 | resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
		460 |   count = local.is-development ? 0 : 1
		461 |   name  = "tipstaff_utilisation_alarm"
		462 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:482-490
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		482 | module "pagerduty_core_alerts_non_prod" {
		483 |   count = local.is-preproduction ? 1 : 0
		484 |   depends_on = [
		485 |     aws_sns_topic.tipstaff_utilisation_alarm
		486 |   ]
		487 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		488 |   sns_topics                = [aws_sns_topic.tipstaff_utilisation_alarm[0].name]
		489 |   pagerduty_integration_key = local.pagerduty_integration_keys["tipstaff_non_prod_alarms"]
		490 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:493-501
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		493 | module "pagerduty_core_alerts_prod" {
		494 |   count = local.is-production ? 1 : 0
		495 |   depends_on = [
		496 |     aws_sns_topic.tipstaff_utilisation_alarm
		497 |   ]
		498 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		499 |   sns_topics                = [aws_sns_topic.tipstaff_utilisation_alarm[0].name]
		500 |   pagerduty_integration_key = local.pagerduty_integration_keys["tipstaff_prod_alarms"]
		501 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc
	File: /load_balancer.tf:1-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc_pingdom
	File: /load_balancer.tf:114-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc_pingdom_2
	File: /load_balancer.tf:187-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:260-268
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		260 | resource "aws_lb" "tipstaff_lb" {
		261 |   name                       = "tipstaff-load-balancer"
		262 |   load_balancer_type         = "application"
		263 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		264 |   subnets                    = data.aws_subnets.shared-public.ids
		265 |   enable_deletion_protection = false
		266 |   internal                   = false
		267 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		268 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:260-268
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		260 | resource "aws_lb" "tipstaff_lb" {
		261 |   name                       = "tipstaff-load-balancer"
		262 |   load_balancer_type         = "application"
		263 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		264 |   subnets                    = data.aws_subnets.shared-public.ids
		265 |   enable_deletion_protection = false
		266 |   internal                   = false
		267 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		268 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:260-268
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		260 | resource "aws_lb" "tipstaff_lb" {
		261 |   name                       = "tipstaff-load-balancer"
		262 |   load_balancer_type         = "application"
		263 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		264 |   subnets                    = data.aws_subnets.shared-public.ids
		265 |   enable_deletion_protection = false
		266 |   internal                   = false
		267 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		268 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.tipstaff_target_group
	File: /load_balancer.tf:270-292
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		270 | resource "aws_lb_target_group" "tipstaff_target_group" {
		271 |   name                 = "tipstaff-target-group"
		272 |   port                 = 80
		273 |   protocol             = "HTTP"
		274 |   vpc_id               = data.aws_vpc.shared.id
		275 |   target_type          = "ip"
		276 |   deregistration_delay = 30
		277 | 
		278 |   stickiness {
		279 |     type = "lb_cookie"
		280 |   }
		281 | 
		282 |   health_check {
		283 |     healthy_threshold   = "3"
		284 |     interval            = "30"
		285 |     protocol            = "HTTP"
		286 |     port                = "80"
		287 |     unhealthy_threshold = "5"
		288 |     matcher             = "200-302"
		289 |     timeout             = "10"
		290 |   }
		291 | 
		292 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.tipstaff_lb
	File: /load_balancer.tf:294-308
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		294 | resource "aws_lb_listener" "tipstaff_lb" {
		295 |   depends_on = [
		296 |     aws_acm_certificate.external
		297 |   ]
		298 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		299 |   load_balancer_arn = aws_lb.tipstaff_lb.arn
		300 |   port              = local.application_data.accounts[local.environment].server_port_2
		301 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		302 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		303 | 
		304 |   default_action {
		305 |     type             = "forward"
		306 |     target_group_arn = aws_lb_target_group.tipstaff_target_group.arn
		307 |   }
		308 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		13 |   name                    = "rds-password"
		14 |   recovery_window_in_days = 0
		15 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.tipstaff_web_acl
	File: /waf.tf:1-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "tipstaff_web_acl" {
		2  |   name  = "tipstaff-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |         rule_action_override {
		22 |           action_to_use {
		23 |             allow {}
		24 |           }
		25 |           name = "SizeRestrictions_BODY"
		26 |         }
		27 |       }
		28 |     }
		29 | 
		30 |     visibility_config {
		31 |       cloudwatch_metrics_enabled = true
		32 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		33 |       sampled_requests_enabled   = true
		34 |     }
		35 |   }
		36 | 
		37 |   visibility_config {
		38 |     cloudwatch_metrics_enabled = true
		39 |     metric_name                = "tipstaff-web-acl"
		40 |     sampled_requests_enabled   = true
		41 |   }
		42 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.tipstaff_web_acl
	File: /waf.tf:1-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "tipstaff_web_acl" {
		2  |   name  = "tipstaff-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |         rule_action_override {
		22 |           action_to_use {
		23 |             allow {}
		24 |           }
		25 |           name = "SizeRestrictions_BODY"
		26 |         }
		27 |       }
		28 |     }
		29 | 
		30 |     visibility_config {
		31 |       cloudwatch_metrics_enabled = true
		32 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		33 |       sampled_requests_enabled   = true
		34 |     }
		35 |   }
		36 | 
		37 |   visibility_config {
		38 |     cloudwatch_metrics_enabled = true
		39 |     metric_name                = "tipstaff-web-acl"
		40 |     sampled_requests_enabled   = true
		41 |   }
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		13 |   name                    = "rds-password"
		14 |   recovery_window_in_days = 0
		15 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.tipstaff_lb
	File: /load_balancer.tf:294-308
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		294 | resource "aws_lb_listener" "tipstaff_lb" {
		295 |   depends_on = [
		296 |     aws_acm_certificate.external
		297 |   ]
		298 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		299 |   load_balancer_arn = aws_lb.tipstaff_lb.arn
		300 |   port              = local.application_data.accounts[local.environment].server_port_2
		301 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		302 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		303 | 
		304 |   default_action {
		305 |     type             = "forward"
		306 |     target_group_arn = aws_lb_target_group.tipstaff_target_group.arn
		307 |   }
		308 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/tipstaff

*****************************

Running tflint in terraform/environments/tipstaff
Excluding the following checks: terraform_unused_declarations
22 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 54:
  54:           value = "${aws_db_instance.tipstaff_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 62:
  62:           value = "${aws_db_instance.tipstaff_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 66:
  66:           value = "${aws_db_instance.tipstaff_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 70:
  70:           value = "${aws_db_instance.tipstaff_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 86:
  86:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 133:
 133:           value = "${aws_db_instance.tipstaff_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 141:
 141:           value = "${aws_db_instance.tipstaff_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 145:
 145:           value = "${aws_db_instance.tipstaff_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 149:
 149:           value = "${aws_db_instance.tipstaff_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 161:
 161:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 165:
 165:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "github" in `required_providers` (terraform_required_providers)

  on terraform/environments/tipstaff/providers.tf line 8:
   8: data "github_ip_ranges" "github_actions_ips" {}

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/rds.tf line 140:
 140:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/tipstaff/secrets.tf line 3:
   3: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/secrets.tf line 19:
  19:   secret_string = jsonencode({ "TIPSTAFF_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/tipstaff

*****************************

Running Trivy in terraform/environments/tipstaff
2024-09-13T14:00:07Z	INFO	[db] Need to update DB
2024-09-13T14:00:07Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-13T14:00:10Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-13T14:00:10Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-13T14:00:10Z	INFO	Need to update the built-in policies
2024-09-13T14:00:10Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-13T14:00:10Z	INFO	[secret] Secret scanning is enabled
2024-09-13T14:00:10Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-13T14:00:10Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-13T14:00:16Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-13T14:00:16Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-13T14:00:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-13T14:00:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-13T14:00:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-13T14:00:16Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-13T14:00:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-13T14:00:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-13T14:00:17Z	INFO	Number of language-specific files	num=0
2024-09-13T14:00:17Z	INFO	Detected config files	num=7

ecs.tf (terraform)
==================
Tests: 13 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 6)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
 ecs.tf:355-358
────────────────────────────────────────
 355resource "aws_ecr_repository" "tipstaff_ecr_repo" {
 356name         = "tipstaff-ecr-repo"
 357force_delete = true
 358 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:454-457
────────────────────────────────────────
 454resource "aws_sns_topic" "ddos_alarm" {
 455count = local.is-development ? 0 : 1
 456name  = "tipstaff_ddos_alarm"
 457 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:459-462
────────────────────────────────────────
 459resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
 460count = local.is-development ? 0 : 1
 461name  = "tipstaff_utilisation_alarm"
 462 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:351
   via ecs.tf:347-352 (egress)
    via ecs.tf:335-353 (aws_security_group.ecs_service)
────────────────────────────────────────
 335   resource "aws_security_group" "ecs_service" {
 ...   
 351 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 353   }
────────────────────────────────────────



load_balancer.tf (terraform)
============================
Tests: 13 (SUCCESSES: 7, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 load_balancer.tf:260-268
────────────────────────────────────────
 260resource "aws_lb" "tipstaff_lb" {
 261 │   name                       = "tipstaff-load-balancer"
 262 │   load_balancer_type         = "application"
 263 │   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
 264 │   subnets                    = data.aws_subnets.shared-public.ids
 265 │   enable_deletion_protection = false
 266 │   internal                   = false
 267 │   depends_on                 = [aws_security_group.tipstaff_lb_sc]
 268 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 load_balancer.tf:266
   via load_balancer.tf:260-268 (aws_lb.tipstaff_lb)
────────────────────────────────────────
 260   resource "aws_lb" "tipstaff_lb" {
 261     name                       = "tipstaff-load-balancer"
 262     load_balancer_type         = "application"
 263     security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
 264     subnets                    = data.aws_subnets.shared-public.ids
 265     enable_deletion_protection = false
 266 [   internal                   = false
 267     depends_on                 = [aws_security_group.tipstaff_lb_sc]
 268   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:110
   via load_balancer.tf:105-111 (egress)
    via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
 110 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 112   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:102
   via load_balancer.tf:97-103 (egress)
    via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
 102 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 112   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:64-78
   via load_balancer.tf:60-79 (ingress)
    via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
  64 ┌     cidr_blocks = [
  65"20.26.11.71/32",
  66"20.26.11.108/32",
  67"20.49.214.199/32",
  68"20.49.214.228/32",
  69"51.149.249.0/29",
  70"51.149.249.32/29",
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:27-56
   via load_balancer.tf:23-57 (ingress)
    via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
  27 ┌     cidr_blocks = [
  28"178.248.34.44/32",
  29"194.33.192.0/25",
  30"195.59.75.0/24",
  31"178.248.34.45/32",
  32"201.33.21.5/32",
  33"178.248.34.46/32",
  ..   
────────────────────────────────────────



rds.tf (terraform)
==================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 rds.tf:1-19
────────────────────────────────────────
   1 ┌ resource "aws_db_instance" "tipstaff_db" {
   2 │   count                       = local.is-development ? 0 : 1
   3 │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   4 │   db_name                     = local.application_data.accounts[local.environment].db_name
   5 │   storage_type                = local.application_data.accounts[local.environment].storage_type
   6 │   engine                      = local.application_data.accounts[local.environment].engine
   7 │   identifier                  = local.application_data.accounts[local.environment].identifier
   8 │   engine_version              = local.application_data.accounts[local.environment].engine_version
   9 └   instance_class              = local.application_data.accounts[local.environment].instance_class
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 rds.tf:59
   via rds.tf:54-60 (egress)
    via rds.tf:26-61 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
  26   resource "aws_security_group" "postgresql_db_sc" {
  ..   
  59 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  61   }
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/tipstaff


Running Trivy in terraform/environments/tipstaff
2024-09-13T15:10:08Z INFO [db] Need to update DB
2024-09-13T15:10:08Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-13T15:10:10Z INFO [vuln] Vulnerability scanning is enabled
2024-09-13T15:10:10Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-13T15:10:10Z INFO Need to update the built-in policies
2024-09-13T15:10:10Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-13T15:10:10Z INFO [secret] Secret scanning is enabled
2024-09-13T15:10:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-13T15:10:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-13T15:10:16Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-13T15:10:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-13T15:10:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-13T15:10:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-13T15:10:17Z INFO Number of language-specific files num=0
2024-09-13T15:10:17Z INFO Detected config files num=7

ecs.tf (terraform)

Tests: 13 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 6)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
ecs.tf:355-358
────────────────────────────────────────
355 ┌ resource "aws_ecr_repository" "tipstaff_ecr_repo" {
356 │ name = "tipstaff-ecr-repo"
357 │ force_delete = true
358 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:454-457
────────────────────────────────────────
454 ┌ resource "aws_sns_topic" "ddos_alarm" {
455 │ count = local.is-development ? 0 : 1
456 │ name = "tipstaff_ddos_alarm"
457 └ }
────────────────────────────────────────

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ecs.tf:459-462
────────────────────────────────────────
459 ┌ resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
460 │ count = local.is-development ? 0 : 1
461 │ name = "tipstaff_utilisation_alarm"
462 └ }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
ecs.tf:351
via ecs.tf:347-352 (egress)
via ecs.tf:335-353 (aws_security_group.ecs_service)
────────────────────────────────────────
335 resource "aws_security_group" "ecs_service" {
...
351 [ cidr_blocks = ["0.0.0.0/0"]
...
353 }
────────────────────────────────────────

load_balancer.tf (terraform)

Tests: 13 (SUCCESSES: 7, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
load_balancer.tf:260-268
────────────────────────────────────────
260 ┌ resource "aws_lb" "tipstaff_lb" {
261 │ name = "tipstaff-load-balancer"
262 │ load_balancer_type = "application"
263 │ security_groups = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
264 │ subnets = data.aws_subnets.shared-public.ids
265 │ enable_deletion_protection = false
266 │ internal = false
267 │ depends_on = [aws_security_group.tipstaff_lb_sc]
268 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
load_balancer.tf:266
via load_balancer.tf:260-268 (aws_lb.tipstaff_lb)
────────────────────────────────────────
260 resource "aws_lb" "tipstaff_lb" {
261 name = "tipstaff-load-balancer"
262 load_balancer_type = "application"
263 security_groups = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
264 subnets = data.aws_subnets.shared-public.ids
265 enable_deletion_protection = false
266 [ internal = false
267 depends_on = [aws_security_group.tipstaff_lb_sc]
268 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:110
via load_balancer.tf:105-111 (egress)
via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
110 [ cidr_blocks = ["0.0.0.0/0"]
...
112 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
load_balancer.tf:102
via load_balancer.tf:97-103 (egress)
via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
102 [ cidr_blocks = ["0.0.0.0/0"]
...
112 }
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:64-78
via load_balancer.tf:60-79 (ingress)
via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
64 ┌ cidr_blocks = [
65 │ "20.26.11.71/32",
66 │ "20.26.11.108/32",
67 │ "20.49.214.199/32",
68 │ "20.49.214.228/32",
69 │ "51.149.249.0/29",
70 └ "51.149.249.32/29",
..
────────────────────────────────────────

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
load_balancer.tf:27-56
via load_balancer.tf:23-57 (ingress)
via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
1 resource "aws_security_group" "tipstaff_lb_sc" {
.
27 ┌ cidr_blocks = [
28 │ "178.248.34.44/32",
29 │ "194.33.192.0/25",
30 │ "195.59.75.0/24",
31 │ "178.248.34.45/32",
32 │ "201.33.21.5/32",
33 └ "178.248.34.46/32",
..
────────────────────────────────────────

rds.tf (terraform)

Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances.

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
rds.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_db_instance" "tipstaff_db" {
2 │ count = local.is-development ? 0 : 1
3 │ allocated_storage = local.application_data.accounts[local.environment].allocated_storage
4 │ db_name = local.application_data.accounts[local.environment].db_name
5 │ storage_type = local.application_data.accounts[local.environment].storage_type
6 │ engine = local.application_data.accounts[local.environment].engine
7 │ identifier = local.application_data.accounts[local.environment].identifier
8 │ engine_version = local.application_data.accounts[local.environment].engine_version
9 └ instance_class = local.application_data.accounts[local.environment].instance_class
..
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
rds.tf:59
via rds.tf:54-60 (egress)
via rds.tf:26-61 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
26 resource "aws_security_group" "postgresql_db_sc" {
..
59 [ cidr_blocks = ["0.0.0.0/0"]
..
61 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/tipstaff

*****************************

Running Checkov in terraform/environments/tipstaff
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-13 15:10:20,031 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
2024-09-13 15:10:20,031 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 95, Failed checks: 53, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /ec2_bastion_linux.tf:2-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "bastion_linux" {
		3  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		4  | 
		5  |   providers = {
		6  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		7  |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		8  |   }
		9  |   # s3 - used for logs and user ssh public keys
		10 |   bucket_name = "bastion-example"
		11 |   # public keys
		12 |   public_key_data = local.public_key_data.keys[local.environment]
		13 |   # logs
		14 |   log_auto_clean       = "Enabled"
		15 |   log_standard_ia_days = 30  # days before moving to IA storage
		16 |   log_glacier_days     = 60  # days before moving to Glacier
		17 |   log_expiry_days      = 180 # days before log expiration
		18 |   # bastion
		19 |   allow_ssh_commands = false
		20 |   app_name           = var.networking[0].application
		21 |   business_unit      = local.vpc_name
		22 |   subnet_set         = local.subnet_set
		23 |   environment        = local.environment
		24 |   region             = "eu-west-2"
		25 | 
		26 |   # Tags
		27 |   tags_common = local.tags
		28 |   tags_prefix = terraform.workspace
		29 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_non_prod
	File: /ecs.tf:482-490
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		482 | module "pagerduty_core_alerts_non_prod" {
		483 |   count = local.is-preproduction ? 1 : 0
		484 |   depends_on = [
		485 |     aws_sns_topic.tipstaff_utilisation_alarm
		486 |   ]
		487 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		488 |   sns_topics                = [aws_sns_topic.tipstaff_utilisation_alarm[0].name]
		489 |   pagerduty_integration_key = local.pagerduty_integration_keys["tipstaff_non_prod_alarms"]
		490 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts_prod
	File: /ecs.tf:493-501
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		493 | module "pagerduty_core_alerts_prod" {
		494 |   count = local.is-production ? 1 : 0
		495 |   depends_on = [
		496 |     aws_sns_topic.tipstaff_utilisation_alarm
		497 |   ]
		498 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		499 |   sns_topics                = [aws_sns_topic.tipstaff_utilisation_alarm[0].name]
		500 |   pagerduty_integration_key = local.pagerduty_integration_keys["tipstaff_prod_alarms"]
		501 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.deployment_logs
	File: /ecs.tf:9-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		9  | resource "aws_cloudwatch_log_group" "deployment_logs" {
		10 |   name              = "/aws/events/deploymentLogs"
		11 |   retention_in_days = "7"
		12 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs_logs
	File: /ecs.tf:14-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		14 | resource "aws_cloudwatch_log_group" "ecs_logs" {
		15 |   name              = "tipstaff-ecs"
		16 |   retention_in_days = "7"
		17 | }

Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-288

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_execution
	File: /ecs.tf:263-283
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		263 | resource "aws_iam_role_policy" "app_execution" {
		264 |   name = "execution-${var.networking[0].application}"
		265 |   role = aws_iam_role.app_execution.id
		266 | 
		267 |   policy = <<-EOF
		268 |   {
		269 |     "Version": "2012-10-17",
		270 |     "Statement": [
		271 |       {
		272 |            "Action": [
		273 |               "ecr:*",
		274 |               "logs:*",
		275 |               "secretsmanager:GetSecretValue"
		276 |            ],
		277 |            "Resource": "*",
		278 |            "Effect": "Allow"
		279 |       }
		280 |     ]
		281 |   }
		282 |   EOF
		283 | }

Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-286

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-287

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.ecs_service
	File: /ecs.tf:335-353
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		335 | resource "aws_security_group" "ecs_service" {
		336 |   name_prefix = "ecs-service-sg-"
		337 |   vpc_id      = data.aws_vpc.shared.id
		338 | 
		339 |   ingress {
		340 |     from_port       = 80
		341 |     to_port         = 80
		342 |     protocol        = "tcp"
		343 |     description     = "Allow traffic on port 80 from load balancer"
		344 |     security_groups = [aws_security_group.tipstaff_lb_sc.id]
		345 |   }
		346 | 
		347 |   egress {
		348 |     from_port   = 0
		349 |     to_port     = 0
		350 |     protocol    = "-1"
		351 |     cidr_blocks = ["0.0.0.0/0"]
		352 |   }
		353 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_163: "Ensure ECR image scanning on push is enabled"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-8

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.tipstaff_ecr_repo
	File: /ecs.tf:355-358
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		355 | resource "aws_ecr_repository" "tipstaff_ecr_repo" {
		356 |   name         = "tipstaff-ecr-repo"
		357 |   force_delete = true
		358 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /ecs.tf:454-457
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		454 | resource "aws_sns_topic" "ddos_alarm" {
		455 |   count = local.is-development ? 0 : 1
		456 |   name  = "tipstaff_ddos_alarm"
		457 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.tipstaff_utilisation_alarm
	File: /ecs.tf:459-462
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		459 | resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
		460 |   count = local.is-development ? 0 : 1
		461 |   name  = "tipstaff_utilisation_alarm"
		462 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc
	File: /load_balancer.tf:1-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc_pingdom
	File: /load_balancer.tf:114-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.tipstaff_lb_sc_pingdom_2
	File: /load_balancer.tf:187-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:260-268
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		260 | resource "aws_lb" "tipstaff_lb" {
		261 |   name                       = "tipstaff-load-balancer"
		262 |   load_balancer_type         = "application"
		263 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		264 |   subnets                    = data.aws_subnets.shared-public.ids
		265 |   enable_deletion_protection = false
		266 |   internal                   = false
		267 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		268 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:260-268
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		260 | resource "aws_lb" "tipstaff_lb" {
		261 |   name                       = "tipstaff-load-balancer"
		262 |   load_balancer_type         = "application"
		263 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		264 |   subnets                    = data.aws_subnets.shared-public.ids
		265 |   enable_deletion_protection = false
		266 |   internal                   = false
		267 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		268 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.tipstaff_lb
	File: /load_balancer.tf:260-268
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		260 | resource "aws_lb" "tipstaff_lb" {
		261 |   name                       = "tipstaff-load-balancer"
		262 |   load_balancer_type         = "application"
		263 |   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
		264 |   subnets                    = data.aws_subnets.shared-public.ids
		265 |   enable_deletion_protection = false
		266 |   internal                   = false
		267 |   depends_on                 = [aws_security_group.tipstaff_lb_sc]
		268 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.tipstaff_target_group
	File: /load_balancer.tf:270-292
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		270 | resource "aws_lb_target_group" "tipstaff_target_group" {
		271 |   name                 = "tipstaff-target-group"
		272 |   port                 = 80
		273 |   protocol             = "HTTP"
		274 |   vpc_id               = data.aws_vpc.shared.id
		275 |   target_type          = "ip"
		276 |   deregistration_delay = 30
		277 | 
		278 |   stickiness {
		279 |     type = "lb_cookie"
		280 |   }
		281 | 
		282 |   health_check {
		283 |     healthy_threshold   = "3"
		284 |     interval            = "30"
		285 |     protocol            = "HTTP"
		286 |     port                = "80"
		287 |     unhealthy_threshold = "5"
		288 |     matcher             = "200-302"
		289 |     timeout             = "10"
		290 |   }
		291 | 
		292 | }

Check: CKV_AWS_2: "Ensure ALB protocol is HTTPS"
	FAILED for resource: aws_lb_listener.tipstaff_lb
	File: /load_balancer.tf:294-308
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-29

		294 | resource "aws_lb_listener" "tipstaff_lb" {
		295 |   depends_on = [
		296 |     aws_acm_certificate.external
		297 |   ]
		298 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		299 |   load_balancer_arn = aws_lb.tipstaff_lb.arn
		300 |   port              = local.application_data.accounts[local.environment].server_port_2
		301 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		302 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		303 | 
		304 |   default_action {
		305 |     type             = "forward"
		306 |     target_group_arn = aws_lb_target_group.tipstaff_target_group.arn
		307 |   }
		308 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_17: "Ensure all data stored in RDS is not publicly accessible"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/public-policies/public-2

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		12 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		13 |   name                    = "rds-password"
		14 |   recovery_window_in_days = 0
		15 | }

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: aws_wafv2_web_acl.tipstaff_web_acl
	File: /waf.tf:1-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		1  | resource "aws_wafv2_web_acl" "tipstaff_web_acl" {
		2  |   name  = "tipstaff-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |         rule_action_override {
		22 |           action_to_use {
		23 |             allow {}
		24 |           }
		25 |           name = "SizeRestrictions_BODY"
		26 |         }
		27 |       }
		28 |     }
		29 | 
		30 |     visibility_config {
		31 |       cloudwatch_metrics_enabled = true
		32 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		33 |       sampled_requests_enabled   = true
		34 |     }
		35 |   }
		36 | 
		37 |   visibility_config {
		38 |     cloudwatch_metrics_enabled = true
		39 |     metric_name                = "tipstaff-web-acl"
		40 |     sampled_requests_enabled   = true
		41 |   }
		42 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.tipstaff_db
	File: /rds.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		1  | resource "aws_db_instance" "tipstaff_db" {
		2  |   count                       = local.is-development ? 0 : 1
		3  |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		4  |   db_name                     = local.application_data.accounts[local.environment].db_name
		5  |   storage_type                = local.application_data.accounts[local.environment].storage_type
		6  |   engine                      = local.application_data.accounts[local.environment].engine
		7  |   identifier                  = local.application_data.accounts[local.environment].identifier
		8  |   engine_version              = local.application_data.accounts[local.environment].engine_version
		9  |   instance_class              = local.application_data.accounts[local.environment].instance_class
		10 |   username                    = local.application_data.accounts[local.environment].db_username
		11 |   password                    = random_password.password.result
		12 |   skip_final_snapshot         = true
		13 |   publicly_accessible         = false
		14 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
		15 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		16 |   allow_major_version_upgrade = true
		17 |   ca_cert_identifier          = "rds-ca-rsa2048-g1"
		18 |   apply_immediately           = true
		19 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.tipstaff_db_dev
	File: /rds.tf:64-80
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		64 | resource "aws_db_instance" "tipstaff_db_dev" {
		65 |   count                       = local.is-development ? 1 : 0
		66 |   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
		67 |   db_name                     = local.application_data.accounts[local.environment].db_name
		68 |   storage_type                = local.application_data.accounts[local.environment].storage_type
		69 |   engine                      = local.application_data.accounts[local.environment].engine
		70 |   identifier                  = local.application_data.accounts[local.environment].identifier
		71 |   engine_version              = local.application_data.accounts[local.environment].engine_version
		72 |   instance_class              = local.application_data.accounts[local.environment].instance_class
		73 |   username                    = local.application_data.accounts[local.environment].db_username
		74 |   password                    = random_password.password.result
		75 |   skip_final_snapshot         = true
		76 |   publicly_accessible         = true
		77 |   vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
		78 |   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
		79 |   allow_major_version_upgrade = true
		80 | }

Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
	FAILED for resource: aws_wafv2_web_acl.tipstaff_web_acl
	File: /waf.tf:1-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33

		1  | resource "aws_wafv2_web_acl" "tipstaff_web_acl" {
		2  |   name  = "tipstaff-web-acl"
		3  |   scope = "REGIONAL"
		4  | 
		5  |   default_action {
		6  |     allow {}
		7  |   }
		8  | 
		9  |   rule {
		10 |     name     = "common-rule-set"
		11 |     priority = 1
		12 | 
		13 |     override_action {
		14 |       none {}
		15 |     }
		16 | 
		17 |     statement {
		18 |       managed_rule_group_statement {
		19 |         name        = "AWSManagedRulesCommonRuleSet"
		20 |         vendor_name = "AWS"
		21 |         rule_action_override {
		22 |           action_to_use {
		23 |             allow {}
		24 |           }
		25 |           name = "SizeRestrictions_BODY"
		26 |         }
		27 |       }
		28 |     }
		29 | 
		30 |     visibility_config {
		31 |       cloudwatch_metrics_enabled = true
		32 |       metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
		33 |       sampled_requests_enabled   = true
		34 |     }
		35 |   }
		36 | 
		37 |   visibility_config {
		38 |     cloudwatch_metrics_enabled = true
		39 |     metric_name                = "tipstaff-web-acl"
		40 |     sampled_requests_enabled   = true
		41 |   }
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.rds_db_credentials
	File: /secrets.tf:12-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "rds_db_credentials" {
		13 |   name                    = "rds-password"
		14 |   recovery_window_in_days = 0
		15 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_lb_listener.tipstaff_lb
	File: /load_balancer.tf:294-308
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		294 | resource "aws_lb_listener" "tipstaff_lb" {
		295 |   depends_on = [
		296 |     aws_acm_certificate.external
		297 |   ]
		298 |   certificate_arn   = local.is-production ? aws_acm_certificate.external_prod[0].arn : aws_acm_certificate.external.arn
		299 |   load_balancer_arn = aws_lb.tipstaff_lb.arn
		300 |   port              = local.application_data.accounts[local.environment].server_port_2
		301 |   protocol          = local.application_data.accounts[local.environment].lb_listener_protocol_2
		302 |   ssl_policy        = local.application_data.accounts[local.environment].lb_listener_protocol_2 == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06"
		303 | 
		304 |   default_action {
		305 |     type             = "forward"
		306 |     target_group_arn = aws_lb_target_group.tipstaff_target_group.arn
		307 |   }
		308 | }

Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
	FAILED for resource: aws_iam_role_policy.app_task
	File: /ecs.tf:312-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-40

		312 | resource "aws_iam_role_policy" "app_task" {
		313 |   name = "task-${var.networking[0].application}"
		314 |   role = aws_iam_role.app_task.id
		315 | 
		316 |   policy = <<-EOF
		317 |   {
		318 |    "Version": "2012-10-17",
		319 |    "Statement": [
		320 |      {
		321 |        "Effect": "Allow",
		322 |         "Action": [
		323 |           "logs:*",
		324 |           "ecr:*",
		325 |           "iam:*",
		326 |           "ec2:*"
		327 |         ],
		328 |        "Resource": "*"
		329 |      }
		330 |    ]
		331 |   }
		332 |   EOF
		333 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/tipstaff

*****************************

Running tflint in terraform/environments/tipstaff
Excluding the following checks: terraform_unused_declarations
21 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 54:
  54:           value = "${aws_db_instance.tipstaff_db[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 58:
  58:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 62:
  62:           value = "${aws_db_instance.tipstaff_db[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 66:
  66:           value = "${aws_db_instance.tipstaff_db[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 70:
  70:           value = "${aws_db_instance.tipstaff_db[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 74:
  74:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 78:
  78:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 82:
  82:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 86:
  86:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 133:
 133:           value = "${aws_db_instance.tipstaff_db_dev[0].address}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 137:
 137:           value = "${local.application_data.accounts[local.environment].rds_port}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 141:
 141:           value = "${aws_db_instance.tipstaff_db_dev[0].username}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 145:
 145:           value = "${aws_db_instance.tipstaff_db_dev[0].password}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 149:
 149:           value = "${aws_db_instance.tipstaff_db_dev[0].db_name}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 153:
 153:           value = "${local.application_data.accounts[local.environment].support_email}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 157:
 157:           value = "${local.application_data.accounts[local.environment].support_team}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 161:
 161:           value = "${local.application_data.accounts[local.environment].curserver}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/ecs.tf line 165:
 165:           value = "${local.application_data.accounts[local.environment].client_id}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/rds.tf line 140:
 140:     always_run = "${timestamp()}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/tipstaff/secrets.tf line 3:
   3: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/tipstaff/secrets.tf line 19:
  19:   secret_string = jsonencode({ "TIPSTAFF_DB_PASSWORD" : "${random_password.password.result}" })

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/tipstaff

*****************************

Running Trivy in terraform/environments/tipstaff
2024-09-13T15:10:08Z	INFO	[db] Need to update DB
2024-09-13T15:10:08Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-13T15:10:10Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-13T15:10:10Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-13T15:10:10Z	INFO	Need to update the built-in policies
2024-09-13T15:10:10Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-13T15:10:10Z	INFO	[secret] Secret scanning is enabled
2024-09-13T15:10:10Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-13T15:10:10Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-13T15:10:16Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-13T15:10:16Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-09-13T15:10:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:283-325"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-policy-wildcards" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/main.tf:344-362"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:18-29"
2024-09-13T15:10:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-09-13T15:10:17Z	INFO	Number of language-specific files	num=0
2024-09-13T15:10:17Z	INFO	Detected config files	num=7

ecs.tf (terraform)
==================
Tests: 13 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 6)
Failures: 4 (HIGH: 3, CRITICAL: 1)

HIGH: Image scanning is not enabled.
════════════════════════════════════════
Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.

See https://avd.aquasec.com/misconfig/avd-aws-0030
────────────────────────────────────────
 ecs.tf:355-358
────────────────────────────────────────
 355resource "aws_ecr_repository" "tipstaff_ecr_repo" {
 356name         = "tipstaff-ecr-repo"
 357force_delete = true
 358 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:454-457
────────────────────────────────────────
 454resource "aws_sns_topic" "ddos_alarm" {
 455count = local.is-development ? 0 : 1
 456name  = "tipstaff_ddos_alarm"
 457 └ }
────────────────────────────────────────


HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ecs.tf:459-462
────────────────────────────────────────
 459resource "aws_sns_topic" "tipstaff_utilisation_alarm" {
 460count = local.is-development ? 0 : 1
 461name  = "tipstaff_utilisation_alarm"
 462 └ }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ecs.tf:351
   via ecs.tf:347-352 (egress)
    via ecs.tf:335-353 (aws_security_group.ecs_service)
────────────────────────────────────────
 335   resource "aws_security_group" "ecs_service" {
 ...   
 351 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 353   }
────────────────────────────────────────



load_balancer.tf (terraform)
============================
Tests: 13 (SUCCESSES: 7, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (HIGH: 2, CRITICAL: 4)

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 load_balancer.tf:260-268
────────────────────────────────────────
 260resource "aws_lb" "tipstaff_lb" {
 261 │   name                       = "tipstaff-load-balancer"
 262 │   load_balancer_type         = "application"
 263 │   security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
 264 │   subnets                    = data.aws_subnets.shared-public.ids
 265 │   enable_deletion_protection = false
 266 │   internal                   = false
 267 │   depends_on                 = [aws_security_group.tipstaff_lb_sc]
 268 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 load_balancer.tf:266
   via load_balancer.tf:260-268 (aws_lb.tipstaff_lb)
────────────────────────────────────────
 260   resource "aws_lb" "tipstaff_lb" {
 261     name                       = "tipstaff-load-balancer"
 262     load_balancer_type         = "application"
 263     security_groups            = [aws_security_group.tipstaff_lb_sc.id, aws_security_group.tipstaff_lb_sc_pingdom.id, aws_security_group.tipstaff_lb_sc_pingdom_2.id]
 264     subnets                    = data.aws_subnets.shared-public.ids
 265     enable_deletion_protection = false
 266 [   internal                   = false
 267     depends_on                 = [aws_security_group.tipstaff_lb_sc]
 268   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:110
   via load_balancer.tf:105-111 (egress)
    via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
 110 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 112   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 load_balancer.tf:102
   via load_balancer.tf:97-103 (egress)
    via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
 102 [     cidr_blocks = ["0.0.0.0/0"]
 ...   
 112   }
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:64-78
   via load_balancer.tf:60-79 (ingress)
    via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
  64 ┌     cidr_blocks = [
  65"20.26.11.71/32",
  66"20.26.11.108/32",
  67"20.49.214.199/32",
  68"20.49.214.228/32",
  69"51.149.249.0/29",
  70"51.149.249.32/29",
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 load_balancer.tf:27-56
   via load_balancer.tf:23-57 (ingress)
    via load_balancer.tf:1-112 (aws_security_group.tipstaff_lb_sc)
────────────────────────────────────────
   1   resource "aws_security_group" "tipstaff_lb_sc" {
   .   
  27 ┌     cidr_blocks = [
  28"178.248.34.44/32",
  29"194.33.192.0/25",
  30"195.59.75.0/24",
  31"178.248.34.45/32",
  32"201.33.21.5/32",
  33"178.248.34.46/32",
  ..   
────────────────────────────────────────



rds.tf (terraform)
==================
Tests: 5 (SUCCESSES: 3, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (HIGH: 1, CRITICAL: 1)

HIGH: Instance does not have storage encryption enabled.
════════════════════════════════════════
Encryption should be enabled for an RDS Database instances. 

When enabling encryption by setting the kms_key_id.

See https://avd.aquasec.com/misconfig/avd-aws-0080
────────────────────────────────────────
 rds.tf:1-19
────────────────────────────────────────
   1 ┌ resource "aws_db_instance" "tipstaff_db" {
   2 │   count                       = local.is-development ? 0 : 1
   3 │   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   4 │   db_name                     = local.application_data.accounts[local.environment].db_name
   5 │   storage_type                = local.application_data.accounts[local.environment].storage_type
   6 │   engine                      = local.application_data.accounts[local.environment].engine
   7 │   identifier                  = local.application_data.accounts[local.environment].identifier
   8 │   engine_version              = local.application_data.accounts[local.environment].engine_version
   9 └   instance_class              = local.application_data.accounts[local.environment].instance_class
  ..   
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 rds.tf:59
   via rds.tf:54-60 (egress)
    via rds.tf:26-61 (aws_security_group.postgresql_db_sc[0])
────────────────────────────────────────
  26   resource "aws_security_group" "postgresql_db_sc" {
  ..   
  59 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  61   }
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor

@mark-butler-solirius mark-butler-solirius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lg

@dms1981 dms1981 merged commit 7b07dce into main Sep 13, 2024
10 of 14 checks passed
@dms1981 dms1981 deleted the feature/7185-tipstaff-shield-advanced branch September 13, 2024 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants