Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump s3_bucket_config::modernisation-platform-terraform-s3-bucket from 7.0.0 to 8.2.0 in /terraform/environments/delius-nextcloud #7849

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 18, 2024

Bumps s3_bucket_config::modernisation-platform-terraform-s3-bucket from 7.0.0 to 8.2.0.

Release notes

Sourced from s3_bucket_config::modernisation-platform-terraform-s3-bucket's releases.

v8.2.0

What's New

The prior implementation of aws_s3_bucket_logging caused issues where bucket names for logs were strings known only after a terraform apply. This PR moves the logic to use a for_eachwith options to preserve backwards compatibility in the use of var.log_bucket_name. A new variable - var.log_buckets - takes a map of bucket attributes and creates aws_s3_bucket_logging resources for each log bucket.

To reference a bucket from a s3 bucket module in the same tf:

module "s3_with_log_bucket" {
  log_buckets      = tomap({ "main_log_bucket" : module.s3_log_bucket.bucket })
  log_prefix       = "logs/"
}

To refer to another bucket by name:

module "s3_with_log_bucket" { 
  log_bucket       = "log-bucket"
  log_prefix = "logs/"
}

Or multiple buckets by name:

module "s3_with_log_bucket" { 
  log_bucket_names = toset(["log-bucket", "other-log-bucket"])
  log_prefix = "logs/"
}

What's Changed

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [s3_bucket_config::modernisation-platform-terraform-s3-bucket](https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket) from 7.0.0 to 8.2.0.
- [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket/releases)
- [Commits](ministryofjustice/modernisation-platform-terraform-s3-bucket@v7.0.0...v8.2.0)

---
updated-dependencies:
- dependency-name: s3_bucket_config::github::ministryofjustice/modernisation-platform-terraform-s3-bucket::v7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels Sep 18, 2024
@dependabot dependabot bot requested review from a team as code owners September 18, 2024 01:01
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 18, 2024
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud


Running Trivy in terraform/environments/delius-nextcloud/modules/components/nextcloud
2024-09-18T01:03:19Z INFO [db] Need to update DB
2024-09-18T01:03:19Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-18T01:03:21Z INFO [vuln] Vulnerability scanning is enabled
2024-09-18T01:03:21Z INFO [misconfig] Misconfiguration scanning is enabled
2024-09-18T01:03:21Z INFO Need to update the built-in policies
2024-09-18T01:03:21Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-18T01:03:21Z INFO [secret] Secret scanning is enabled
2024-09-18T01:03:21Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-18T01:03:21Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-18T01:03:22Z INFO [terraform scanner] Scanning root module file_path="."
2024-09-18T01:03:22Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, platform_vars, tags"
2024-09-18T01:03:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.ancillary_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-09-18T01:03:22Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open cluster: no such file or directory"
2024-09-18T01:03:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.nextcloud_service.aws_vpc_security_group_egress_rule.custom_rules" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.expiration" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.transition" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.principals" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.condition" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.statement" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.expiration" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.transition" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.principals" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.condition" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_config.dynamic.statement" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open container: no such file or directory"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open service: no such file or directory"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.nextcloud_efs["config"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.nextcloud_efs["custom_apps"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.nextcloud_efs["data"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.nextcloud_efs["html"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.nextcloud_efs["themes"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.2.0/main.tf:16-27"
2024-09-18T01:03:23Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.2.0/main.tf:16-27"
2024-09-18T01:03:23Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.2.0/main.tf:187-197"
2024-09-18T01:03:23Z INFO Number of language-specific files num=0
2024-09-18T01:03:23Z INFO Detected config files num=16

../../../../delius-core/modules/helpers/delius_microservice/sg.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
../../../../delius-core/modules/helpers/delius_microservice/sg.tf:47
via ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
via ecs_service.tf:1-139 (module.nextcloud_service)
────────────────────────────────────────
41 resource "aws_security_group_rule" "ecs_service_tls_egress" {
42 description = "Allow all outbound traffic to any IPv4 address on 443"
43 type = "egress"
44 from_port = 443
45 to_port = 443
46 protocol = "tcp"
47 [ cidr_blocks = ["0.0.0.0/0"]
48 security_group_id = aws_security_group.ecs_service.id
49 }
────────────────────────────────────────

alb.tf (terraform)

Tests: 5 (SUCCESSES: 2, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 2, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
alb.tf:14
via alb.tf:10-21 (aws_alb_listener.nextcloud_https)
────────────────────────────────────────
10 resource "aws_alb_listener" "nextcloud_https" {
..
14 [ ssl_policy = "ELBSecurityPolicy-2016-08"
..
21 }
────────────────────────────────────────

HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:1-8
────────────────────────────────────────
1 ┌ resource "aws_alb" "nextcloud" {
2 │ name = "nextcloud"
3 │ internal = false
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.nextcloud_alb_sg.id]
6 │ subnets = var.account_config.public_subnet_ids
7 │ tags = var.tags
8 └ }
────────────────────────────────────────

HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:3
via alb.tf:1-8 (aws_alb.nextcloud)
────────────────────────────────────────
1 resource "aws_alb" "nextcloud" {
2 name = "nextcloud"
3 [ internal = false
4 load_balancer_type = "application"
5 security_groups = [aws_security_group.nextcloud_alb_sg.id]
6 subnets = var.account_config.public_subnet_ids
7 tags = var.tags
8 }
────────────────────────────────────────

pagerduty.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
pagerduty.tf:7-9
────────────────────────────────────────
7 ┌ resource "aws_sns_topic" "nextcloud_alarms" {
8 │ name = "nextcloud-alarms-${var.env_name}"
9 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud

*****************************

Running Checkov in terraform/environments/delius-nextcloud/modules/components/nextcloud
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-09-18 01:03:26,303 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.2.0:None (for external modules, the --download-external-modules flag is required)
2024-09-18 01:03:26,303 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 361, Failed checks: 44, Skipped checks: 4

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.nextcloud_service.aws_cloudwatch_log_group.ecs
	File: /../../../../delius-core/modules/helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.nextcloud_service.aws_cloudwatch_log_group.ecs
	File: /../../../../delius-core/modules/helpers/delius_microservice/cloudwatch.tf:1-5
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.nextcloud_service.container_definition
	File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:1-25
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   health_check = var.health_check
		13 | 
		14 |   secrets       = local.calculated_container_secrets_list
		15 |   port_mappings = var.container_port_config
		16 |   mount_points  = var.mount_points
		17 |   log_configuration = {
		18 |     logDriver = "awslogs"
		19 |     options = {
		20 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		21 |       "awslogs-region"        = "eu-west-2"
		22 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		23 |     }
		24 |   }
		25 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.nextcloud_service.ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:35-72
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		35 | module "ecs_service" {
		36 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0"
		37 |   container_definitions = nonsensitive(module.container_definition.json_encoded_list)
		38 |   cluster_arn           = var.ecs_cluster_arn
		39 |   name                  = var.name
		40 | 
		41 |   task_cpu    = var.container_cpu
		42 |   task_memory = var.container_memory
		43 | 
		44 |   desired_count                      = var.desired_count
		45 |   deployment_maximum_percent         = var.deployment_maximum_percent
		46 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		47 | 
		48 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		49 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		50 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		51 | 
		52 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		53 | 
		54 |   service_load_balancers = var.microservice_lb != null ? concat([{
		55 |     target_group_arn = aws_lb_target_group.frontend[0].arn
		56 |     container_name   = var.name
		57 |     container_port   = var.container_port_config[0].containerPort
		58 |     }],
		59 |   values(local.ecs_nlbs)) : values(local.ecs_nlbs)
		60 | 
		61 |   efs_volumes = var.efs_volumes
		62 | 
		63 |   security_groups = [aws_security_group.ecs_service.id]
		64 | 
		65 |   subnets = var.account_config.private_subnet_ids
		66 | 
		67 |   enable_execute_command = true
		68 | 
		69 |   ignore_changes = var.ignore_changes_service_task_definition
		70 | 
		71 |   tags = var.tags
		72 | }

Check: CKV_AWS_134: "Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on"
	FAILED for resource: module.nextcloud_service.aws_elasticache_cluster.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/elasticache.tf:8-23
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-amazon-elasticache-redis-clusters-have-automatic-backup-turned-on

		8  | resource "aws_elasticache_cluster" "this" {
		9  |   count                      = var.create_elasticache ? 1 : 0
		10 |   cluster_id                 = "${var.name}-${var.env_name}"
		11 |   engine                     = var.elasticache_engine
		12 |   node_type                  = var.elasticache_node_type
		13 |   num_cache_nodes            = var.elasticache_num_cache_nodes
		14 |   parameter_group_name       = var.elasticache_parameter_group_name
		15 |   engine_version             = var.elasticache_engine_version
		16 |   port                       = var.elasticache_port
		17 |   subnet_group_name          = aws_elasticache_subnet_group.this[0].name
		18 |   apply_immediately          = var.elasticache_apply_immediately
		19 |   auto_minor_version_upgrade = true
		20 |   final_snapshot_identifier  = var.elasticache_engine == "redis" ? "final-redis-${var.name}-${var.env_name}" : null
		21 |   maintenance_window         = var.maintenance_window
		22 |   security_group_ids         = [aws_security_group.elasticache[0].id]
		23 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: module.nextcloud_service.aws_lb.delius_microservices
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:90-98
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		90 | resource "aws_lb" "delius_microservices" {
		91 |   name                       = "${var.name}-${var.env_name}-service-nlb"
		92 |   internal                   = true
		93 |   load_balancer_type         = "network"
		94 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		95 |   subnets                    = var.account_config.private_subnet_ids
		96 |   enable_deletion_protection = false
		97 |   tags                       = var.tags
		98 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_vpc_security_group_ingress_rule.from_vpc
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:110-114
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		110 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		111 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		112 |   ip_protocol       = "-1"
		113 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		114 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/load_balancing.tf:116-123
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		116 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		117 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		118 |   ip_protocol                  = "TCP"
		119 |   from_port                    = each.value
		120 |   to_port                      = each.value
		121 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		122 |   referenced_security_group_id = aws_security_group.ecs_service.id
		123 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:51-59
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.cluster_security_group_id
		59 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.nextcloud_service.aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:61-69
	Calling File: /ecs_service.tf:1-139
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		61 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		62 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		63 |   security_group_id        = aws_security_group.ecs_service.id
		64 |   type                     = "ingress"
		65 |   from_port                = each.value
		66 |   to_port                  = each.value
		67 |   protocol                 = "tcp"
		68 |   source_security_group_id = var.bastion_sg_id
		69 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.nextcloud_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../../../../delius-core/modules/helpers/ecs_policies/main.tf:104-122
	Calling File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.nextcloud_service.module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../../../../delius-core/modules/helpers/ecs_policies/main.tf:104-122
	Calling File: /../../../../delius-core/modules/helpers/delius_microservice/ecs.tf:27-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue",
		119 |       "kms:Decrypt",
		120 |     ], var.extra_exec_role_allow_statements)
		121 |   }
		122 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["themes"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["themes"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.cluster
	File: /ecs_cluster.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_security_group" "cluster" {
		9  |   name   = "ecs-cluster-nextcloud-${var.env_name}"
		10 |   vpc_id = var.account_info.vpc_id
		11 |   lifecycle {
		12 |     create_before_destroy = true
		13 |   }
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs_cluster.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v4.2.1"
		3 |   name                      = "nextcloud-${var.env_name}-cluster"
		4 |   enable_container_insights = "enabled"
		5 |   tags                      = var.tags
		6 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.nextcloud_admin_password
	File: /ecs_service.tf:141-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		141 | resource "aws_secretsmanager_secret" "nextcloud_admin_password" {
		142 |   name = "nextcloud-admin-password"
		143 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.nextcloud_alarms
	File: /pagerduty.tf:7-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		7 | resource "aws_sns_topic" "nextcloud_alarms" {
		8 |   name = "nextcloud-alarms-${var.env_name}"
		9 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.nextcloud_secret
	File: /s3.tf:63-72
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		63 | resource "aws_ssm_parameter" "nextcloud_secret" {
		64 |   name  = "/${var.env_name}/nextcloud/secret"
		65 |   type  = "SecureString"
		66 |   value = "replace_me"
		67 |   lifecycle {
		68 |     ignore_changes = [
		69 |       value
		70 |     ]
		71 |   }
		72 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_config
	File: /s3.tf:1-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["custom_apps"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["custom_apps"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["html"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["html"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["config"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["config"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_329: "EFS access points should enforce a root directory"
	FAILED for resource: module.nextcloud_efs["data"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-329

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV_AWS_330: "EFS access points should enforce a user identity"
	FAILED for resource: module.nextcloud_efs["data"].aws_efs_access_point.ldap
	File: /../../../../delius-core/modules/helpers/efs/main.tf:26-37
	Calling File: /efs.tf:1-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-330

		26 | resource "aws_efs_access_point" "ldap" {
		27 |   file_system_id = aws_efs_file_system.this.id
		28 |   root_directory {
		29 |     path = "/"
		30 |   }
		31 |   tags = merge(
		32 |     var.tags,
		33 |     {
		34 |       Name = "${var.env_name}-${var.name}-efs-access-point"
		35 |     }
		36 |   )
		37 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: module.nextcloud_service.aws_db_instance.this
	File: /../../../../delius-core/modules/helpers/delius_microservice/rds.tf:65-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		65  | resource "aws_db_instance" "this" {
		66  |   count          = var.create_rds ? 1 : 0
		67  |   engine         = var.rds_engine
		68  |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		69  |   engine_version = var.rds_engine_version
		70  |   instance_class = var.rds_instance_class
		71  |   identifier     = "${var.name}-${var.env_name}-db"
		72  |   username       = var.rds_username
		73  | 
		74  |   manage_master_user_password = true
		75  | 
		76  |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		77  | 
		78  |   kms_key_id = var.account_config.kms_keys.rds_shared
		79  | 
		80  |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		81  |   apply_immediately           = var.rds_apply_immediately
		82  | 
		83  |   # tflint-ignore: aws_db_instance_default_parameter_group
		84  |   parameter_group_name                = var.rds_parameter_group_name
		85  |   deletion_protection                 = var.rds_deletion_protection
		86  |   delete_automated_backups            = var.rds_delete_automated_backups
		87  |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		88  |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		89  |   allocated_storage                   = var.rds_allocated_storage
		90  |   max_allocated_storage               = var.rds_max_allocated_storage
		91  |   storage_type                        = var.rds_storage_type
		92  |   maintenance_window                  = var.maintenance_window
		93  |   auto_minor_version_upgrade          = true
		94  |   backup_window                       = var.rds_backup_window
		95  |   backup_retention_period             = var.rds_backup_retention_period
		96  |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		97  |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		98  |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		99  |   multi_az                            = var.rds_multi_az
		100 |   monitoring_interval                 = var.rds_monitoring_interval
		101 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		102 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		103 |   storage_encrypted               = true
		104 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		105 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		106 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		107 |   tags = merge(var.tags,
		108 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		109 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		110 |   )
		111 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.nextcloud_service.aws_security_group.ecs_service
	File: /../../../../delius-core/modules/helpers/delius_microservice/sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.cluster
	File: /ecs_cluster.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		8  | resource "aws_security_group" "cluster" {
		9  |   name   = "ecs-cluster-nextcloud-${var.env_name}"
		10 |   vpc_id = var.account_info.vpc_id
		11 |   lifecycle {
		12 |     create_before_destroy = true
		13 |   }
		14 | }

Check: CKV_AWS_103: "Ensure that load balancer is using at least TLS 1.2"
	FAILED for resource: aws_alb_listener.nextcloud_https
	File: /alb.tf:10-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-43

		10 | resource "aws_alb_listener" "nextcloud_https" {
		11 |   load_balancer_arn = aws_alb.nextcloud.arn
		12 |   port              = "443"
		13 |   protocol          = "HTTPS"
		14 |   ssl_policy        = "ELBSecurityPolicy-2016-08"
		15 |   certificate_arn   = aws_acm_certificate.nextcloud_external.arn
		16 | 
		17 |   default_action {
		18 |     type             = "forward"
		19 |     target_group_arn = module.nextcloud_service.target_group_arn
		20 |   }
		21 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.nextcloud_admin_password
	File: /ecs_service.tf:141-143
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		141 | resource "aws_secretsmanager_secret" "nextcloud_admin_password" {
		142 |   name = "nextcloud-admin-password"
		143 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_alb.nextcloud
	File: /alb.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		1 | resource "aws_alb" "nextcloud" {
		2 |   name               = "nextcloud"
		3 |   internal           = false
		4 |   load_balancer_type = "application"
		5 |   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
		6 |   subnets            = var.account_config.public_subnet_ids
		7 |   tags               = var.tags
		8 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud

*****************************

Running tflint in terraform/environments/delius-nextcloud/modules/components/nextcloud
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-nextcloud/modules/components/nextcloud/ecs_service.tf line 150:
 150: resource "random_password" "nextcloud_admin_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output
*****************************

Trivy will check the following folders:
terraform/environments/delius-nextcloud/modules/components/nextcloud

*****************************

Running Trivy in terraform/environments/delius-nextcloud/modules/components/nextcloud
2024-09-18T01:03:19Z	INFO	[db] Need to update DB
2024-09-18T01:03:19Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-18T01:03:21Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-18T01:03:21Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-09-18T01:03:21Z	INFO	Need to update the built-in policies
2024-09-18T01:03:21Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-09-18T01:03:21Z	INFO	[secret] Secret scanning is enabled
2024-09-18T01:03:21Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-18T01:03:21Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-18T01:03:22Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-09-18T01:03:22Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, bastion_sg_id, env_name, platform_vars, tags"
2024-09-18T01:03:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.ancillary_alb_ingress_https_global_protect_allowlist" value="cty.NilVal"
2024-09-18T01:03:22Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open cluster: no such file or directory"
2024-09-18T01:03:22Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.nextcloud_service.aws_vpc_security_group_egress_rule.custom_rules" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.expiration" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.transition" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.principals" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.condition" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.statement" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.expiration" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.transition" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.principals" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.condition" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_config.dynamic.statement" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open container: no such file or directory"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open service: no such file or directory"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.nextcloud_efs[\"config\"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.nextcloud_efs[\"custom_apps\"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.nextcloud_efs[\"data\"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.nextcloud_efs[\"html\"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.nextcloud_efs[\"themes\"].aws_efs_mount_target.this" value="cty.NilVal"
2024-09-18T01:03:23Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.2.0/main.tf:16-27"
2024-09-18T01:03:23Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.2.0/main.tf:16-27"
2024-09-18T01:03:23Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.2.0/main.tf:187-197"
2024-09-18T01:03:23Z	INFO	Number of language-specific files	num=0
2024-09-18T01:03:23Z	INFO	Detected config files	num=16

../../../../delius-core/modules/helpers/delius_microservice/sg.tf (terraform)
=============================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:47
   via ../../../../delius-core/modules/helpers/delius_microservice/sg.tf:41-49 (aws_security_group_rule.ecs_service_tls_egress)
    via ecs_service.tf:1-139 (module.nextcloud_service)
────────────────────────────────────────
  41   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  42     description       = "Allow all outbound traffic to any IPv4 address on 443"
  43     type              = "egress"
  44     from_port         = 443
  45     to_port           = 443
  46     protocol          = "tcp"
  47 [   cidr_blocks       = ["0.0.0.0/0"]
  48     security_group_id = aws_security_group.ecs_service.id
  49   }
────────────────────────────────────────



alb.tf (terraform)
==================
Tests: 5 (SUCCESSES: 2, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 2, CRITICAL: 1)

CRITICAL: Listener uses an outdated TLS policy.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

See https://avd.aquasec.com/misconfig/avd-aws-0047
────────────────────────────────────────
 alb.tf:14
   via alb.tf:10-21 (aws_alb_listener.nextcloud_https)
────────────────────────────────────────
  10   resource "aws_alb_listener" "nextcloud_https" {
  ..   
  14 [   ssl_policy        = "ELBSecurityPolicy-2016-08"
  ..   
  21   }
────────────────────────────────────────


HIGH: Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise. 

By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:1-8
────────────────────────────────────────
   1resource "aws_alb" "nextcloud" {
   2 │   name               = "nextcloud"
   3 │   internal           = false
   4 │   load_balancer_type = "application"
   5 │   security_groups    = [aws_security_group.nextcloud_alb_sg.id]
   6 │   subnets            = var.account_config.public_subnet_ids
   7 │   tags               = var.tags
   8 └ }
────────────────────────────────────────


HIGH: Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:3
   via alb.tf:1-8 (aws_alb.nextcloud)
────────────────────────────────────────
   1   resource "aws_alb" "nextcloud" {
   2     name               = "nextcloud"
   3 [   internal           = false
   4     load_balancer_type = "application"
   5     security_groups    = [aws_security_group.nextcloud_alb_sg.id]
   6     subnets            = var.account_config.public_subnet_ids
   7     tags               = var.tags
   8   }
────────────────────────────────────────



pagerduty.tf (terraform)
========================
Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 pagerduty.tf:7-9
────────────────────────────────────────
   7resource "aws_sns_topic" "nextcloud_alarms" {
   8 │   name = "nextcloud-alarms-${var.env_name}"
   9 └ }
────────────────────────────────────────


trivy_exitcode=1

Copy link
Contributor

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the Stale label Oct 18, 2024
Copy link
Contributor

This PR was closed because it has been stalled for 40 days with no activity.

@github-actions github-actions bot closed this Oct 28, 2024
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 28, 2024

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@github-actions github-actions bot deleted the dependabot/terraform/terraform/environments/delius-nextcloud/s3_bucket_config--github--ministryofjustice/modernisation-platform-terraform-s3-bucket--v7.0.0-8.2.0 branch October 28, 2024 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update Stale terraform Pull requests that update Terraform code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants