Update WAF rule and alb actions from "Count" to "Block" for better protection against DDOS attacks

[Khatraf]

Tracked as part of ticket #7975

• These changes are intended to enhance the security posture by proactively blocking unwanted or malicious traffic.
• No Count Action Triggered: Looking at the CloudWatch metrics, the "count" action did not trigger after increasing the rate limit which suggests the traffic patterns have not reached the defined threshold, and it is safe to move to blocking action.

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/equip

---

Running Trivy in terraform/environments/equip
2024-10-10T09:02:15Z INFO [vulndb] Need to update DB
2024-10-10T09:02:15Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T09:02:15Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T09:02:16Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 328.242µs, allowed: 44000/minute\n\n"
2024-10-10T09:02:16Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/equip

*****************************

Running Checkov in terraform/environments/equip
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 09:02:18,856 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 442, Failed checks: 25, Skipped checks: 10

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.lb_tg_equip-portal
	File: /alb.tf:62-82

		62 | resource "aws_lb_target_group" "lb_tg_equip-portal" {
		63 |   name        = "tg-equip-portal"
		64 |   target_type = "ip"
		65 |   protocol    = "HTTP"
		66 |   vpc_id      = data.aws_vpc.shared.id
		67 |   port        = "80"
		68 | 
		69 |   health_check {
		70 |     enabled             = true
		71 |     path                = "/nimbus/CtrlWebIsapi.dll"
		72 |     interval            = 30
		73 |     protocol            = "HTTP"
		74 |     port                = 80
		75 |     timeout             = 5
		76 |     healthy_threshold   = 5
		77 |     unhealthy_threshold = 2
		78 |     matcher             = "200"
		79 |   }
		80 | 
		81 |   tags = local.tags
		82 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.lb_tg_portal
	File: /alb.tf:84-104

		84  | resource "aws_lb_target_group" "lb_tg_portal" {
		85  |   name        = "tg-portal"
		86  |   target_type = "ip"
		87  |   protocol    = "HTTP"
		88  |   vpc_id      = data.aws_vpc.shared.id
		89  |   port        = "80"
		90  | 
		91  |   health_check {
		92  |     enabled             = true
		93  |     path                = "/nimbus/CtrlWebIsapi.dll"
		94  |     interval            = 30
		95  |     protocol            = "HTTP"
		96  |     port                = 80
		97  |     timeout             = 5
		98  |     healthy_threshold   = 5
		99  |     unhealthy_threshold = 2
		100 |     matcher             = "200"
		101 |   }
		102 | 
		103 |   tags = local.tags
		104 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.lb_tg_analytics
	File: /alb.tf:106-126

		106 | resource "aws_lb_target_group" "lb_tg_analytics" {
		107 |   name        = "tg-analytics"
		108 |   target_type = "ip"
		109 |   protocol    = "HTTP"
		110 |   vpc_id      = data.aws_vpc.shared.id
		111 |   port        = "80"
		112 | 
		113 |   health_check {
		114 |     enabled             = true
		115 |     path                = "/"
		116 |     interval            = 30
		117 |     protocol            = "HTTP"
		118 |     port                = 80
		119 |     timeout             = 5
		120 |     healthy_threshold   = 5
		121 |     unhealthy_threshold = 2
		122 |     matcher             = "200"
		123 |   }
		124 | 
		125 |   tags = local.tags
		126 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.kms_policy
	File: /data.tf:8-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.PowerBI_server.aws_instance.this
	File: /ec2-instance-module/main.tf:6-133
	Calling File: /main.tf:569-595
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.win2016_multiple.aws_instance.this
	File: /ec2-instance-module/main.tf:6-133
	Calling File: /main.tf:214-241
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.win2019_SQL_multiple.aws_instance.this
	File: /ec2-instance-module/main.tf:6-133
	Calling File: /main.tf:367-395
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.win2022_STD_multiple.aws_instance.this
	File: /ec2-instance-module/main.tf:6-133
	Calling File: /main.tf:501-527
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.citrix_adc_instance_policy
	File: /policy.tf:24-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		24 | resource "aws_iam_policy" "citrix_adc_instance_policy" {
		25 |   name        = "citrix_adc_instance_policy"
		26 |   path        = "/"
		27 |   description = "Policy for Citrix NetScaler instance"
		28 |   policy = jsonencode({
		29 |     "Version" : "2012-10-17",
		30 |     "Statement" : [
		31 |       {
		32 |         "Effect" : "Allow",
		33 |         "Action" : [
		34 |           "ec2:DescribeInstances",
		35 |           "ec2:DescribeNetworkInterfaces",
		36 |           "ec2:DetachNetworkInterface",
		37 |           "ec2:AttachNetworkInterface",
		38 |           "ec2:StartInstances",
		39 |           "ec2:StopInstances",
		40 |           "ec2:RebootInstances",
		41 |           "autoscaling:*",
		42 |           "sns:*",
		43 |           "sqs:*",
		44 |           "iam:SimulatePrincipalPolicy",
		45 |           "iam:GetRole"
		46 |         ],
		47 |         "Resource" : "*"
		48 |       }
		49 |     ]
		50 |   })
		51 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.citrix_adc_instance_policy
	File: /policy.tf:24-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_policy" "citrix_adc_instance_policy" {
		25 |   name        = "citrix_adc_instance_policy"
		26 |   path        = "/"
		27 |   description = "Policy for Citrix NetScaler instance"
		28 |   policy = jsonencode({
		29 |     "Version" : "2012-10-17",
		30 |     "Statement" : [
		31 |       {
		32 |         "Effect" : "Allow",
		33 |         "Action" : [
		34 |           "ec2:DescribeInstances",
		35 |           "ec2:DescribeNetworkInterfaces",
		36 |           "ec2:DetachNetworkInterface",
		37 |           "ec2:AttachNetworkInterface",
		38 |           "ec2:StartInstances",
		39 |           "ec2:StopInstances",
		40 |           "ec2:RebootInstances",
		41 |           "autoscaling:*",
		42 |           "sns:*",
		43 |           "sqs:*",
		44 |           "iam:SimulatePrincipalPolicy",
		45 |           "iam:GetRole"
		46 |         ],
		47 |         "Resource" : "*"
		48 |       }
		49 |     ]
		50 |   })
		51 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.citrix_adc_instance_policy
	File: /policy.tf:24-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_policy" "citrix_adc_instance_policy" {
		25 |   name        = "citrix_adc_instance_policy"
		26 |   path        = "/"
		27 |   description = "Policy for Citrix NetScaler instance"
		28 |   policy = jsonencode({
		29 |     "Version" : "2012-10-17",
		30 |     "Statement" : [
		31 |       {
		32 |         "Effect" : "Allow",
		33 |         "Action" : [
		34 |           "ec2:DescribeInstances",
		35 |           "ec2:DescribeNetworkInterfaces",
		36 |           "ec2:DetachNetworkInterface",
		37 |           "ec2:AttachNetworkInterface",
		38 |           "ec2:StartInstances",
		39 |           "ec2:StopInstances",
		40 |           "ec2:RebootInstances",
		41 |           "autoscaling:*",
		42 |           "sns:*",
		43 |           "sqs:*",
		44 |           "iam:SimulatePrincipalPolicy",
		45 |           "iam:GetRole"
		46 |         ],
		47 |         "Resource" : "*"
		48 |       }
		49 |     ]
		50 |   })
		51 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.bucket-config
	File: /s3-awslogs.tf:28-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		28 | resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
		29 |   bucket = aws_s3_bucket.this.bucket
		30 | 
		31 |   rule {
		32 |     id = "log_deletion"
		33 | 
		34 |     expiration {
		35 |       days = 90
		36 |     }
		37 | 
		38 |     filter {
		39 |       and {
		40 |         prefix = "AWSLogs/${data.aws_caller_identity.current.account_id}/"
		41 | 
		42 |         tags = {
		43 |           rule      = "log-deletion"
		44 |           autoclean = "true"
		45 |         }
		46 |       }
		47 |     }
		48 |     status = "Enabled"
		49 | 
		50 |     transition {
		51 |       days          = 30
		52 |       storage_class = "STANDARD_IA"
		53 |     }
		54 | 
		55 |     transition {
		56 |       days          = 60
		57 |       storage_class = "GLACIER"
		58 |     }
		59 |   }
		60 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-ukcloud-replica
	File: /s3-ukcloud-replica.tf:1-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: equip-s3-bucket
	File: /s3.tf:1-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.azures_ingres
	File: /securitygroup.tf:218-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		218 | resource "aws_security_group" "azures_ingres" {
		219 |   name        = lower(format("secg-%s-%s-azures-ingress", local.application_name, local.environment))
		220 |   description = "Security Group for azures ingress connections"
		221 |   vpc_id      = data.aws_vpc.shared.id
		222 |   tags = merge(local.tags,
		223 |     { Name = lower(format("secg-%s-%s-azures-ingress", local.application_name, local.environment)) }
		224 |   )
		225 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.aws_citrix_security_group
	File: /securitygroup.tf:322-329
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		322 | resource "aws_security_group" "aws_citrix_security_group" {
		323 |   name        = "aws_citrix_security_group"
		324 |   description = "Security Group for AWS_Citrix "
		325 |   vpc_id      = data.aws_vpc.shared.id
		326 |   tags = merge(local.tags,
		327 |     { Name = lower(format("secg-%s-%s-citrix-host", local.application_name, local.environment)) }
		328 |   )
		329 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.aws_equip_security_group
	File: /securitygroup.tf:445-452
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		445 | resource "aws_security_group" "aws_equip_security_group" {
		446 |   name        = lower(format("secg-%s-%s-equip", local.application_name, local.environment))
		447 |   description = "Security Group for AWS_Equip"
		448 |   vpc_id      = data.aws_vpc.shared.id
		449 |   tags = merge(local.tags,
		450 |     { Name = lower(format("secg-%s-%s-equip", local.application_name, local.environment)) }
		451 |   )
		452 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.aws_spotfire_security_group
	File: /securitygroup.tf:580-587
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		580 | resource "aws_security_group" "aws_spotfire_security_group" {
		581 |   name        = "aws_spotfire_security_group"
		582 |   description = "Security Group for AWS_SpotFire"
		583 |   vpc_id      = data.aws_vpc.shared.id
		584 |   tags = merge(local.tags,
		585 |     { Name = lower(format("secg-%s-%s-spotfire", local.application_name, local.environment)) }
		586 |   )
		587 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.aws_domain_security_group
	File: /securitygroup.tf:748-755
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		748 | resource "aws_security_group" "aws_domain_security_group" {
		749 |   name        = "aws_domain_security_group"
		750 |   description = "Security Group for AWS_Domain"
		751 |   vpc_id      = data.aws_vpc.shared.id
		752 |   tags = merge(local.tags,
		753 |     { Name = lower(format("secg-%s-%s-domain-controller", local.application_name, local.environment)) }
		754 |   )
		755 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.citrix_alb
	File: /alb.tf:15-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		15 | resource "aws_lb" "citrix_alb" {
		16 | 
		17 |   name               = format("alb-%s-%s-citrix", local.application_name, local.environment)
		18 |   load_balancer_type = "application"
		19 |   security_groups    = [aws_security_group.alb_sg.id]
		20 |   subnets            = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id]
		21 | 
		22 |   enable_deletion_protection = true
		23 |   drop_invalid_header_fields = true
		24 |   enable_waf_fail_open       = true
		25 |   ip_address_type            = "ipv4"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = format("alb-%s-%s-citrix", local.application_name, local.environment)
		29 |       Role = "Equip public load balancer"
		30 |     }
		31 |   )
		32 | 
		33 |   access_logs {
		34 |     bucket  = aws_s3_bucket.this.id
		35 |     enabled = "true"
		36 |   }
		37 | 
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/equip

*****************************

Running tflint in terraform/environments/equip
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/equip/instance_userdata.tf line 1:
   1: data "template_file" "windows-userdata" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "tls" in `required_providers` (terraform_required_providers)

  on terraform/environments/equip/main.tf line 19:
  19: resource "tls_private_key" "key" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/equip/s3-awslogs.tf line 3:
   3: resource "random_string" "bucket_suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/equip

*****************************

Running Trivy in terraform/environments/equip
2024-10-10T09:02:15Z	INFO	[vulndb] Need to update DB
2024-10-10T09:02:15Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T09:02:15Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T09:02:16Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 328.242µs, allowed: 44000/minute\n\n"
2024-10-10T09:02:16Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/equip

---

Running Trivy in terraform/environments/equip
2024-10-10T09:10:18Z INFO [vulndb] Need to update DB
2024-10-10T09:10:18Z INFO [vulndb] Downloading vulnerability DB...
2024-10-10T09:10:18Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T09:10:18Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 796.169µs, allowed: 44000/minute\n\n"
2024-10-10T09:10:18Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/equip

*****************************

Running Checkov in terraform/environments/equip
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-10 09:10:21,291 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 442, Failed checks: 25, Skipped checks: 10

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.lb_tg_equip-portal
	File: /alb.tf:62-82

		62 | resource "aws_lb_target_group" "lb_tg_equip-portal" {
		63 |   name        = "tg-equip-portal"
		64 |   target_type = "ip"
		65 |   protocol    = "HTTP"
		66 |   vpc_id      = data.aws_vpc.shared.id
		67 |   port        = "80"
		68 | 
		69 |   health_check {
		70 |     enabled             = true
		71 |     path                = "/nimbus/CtrlWebIsapi.dll"
		72 |     interval            = 30
		73 |     protocol            = "HTTP"
		74 |     port                = 80
		75 |     timeout             = 5
		76 |     healthy_threshold   = 5
		77 |     unhealthy_threshold = 2
		78 |     matcher             = "200"
		79 |   }
		80 | 
		81 |   tags = local.tags
		82 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.lb_tg_portal
	File: /alb.tf:84-104

		84  | resource "aws_lb_target_group" "lb_tg_portal" {
		85  |   name        = "tg-portal"
		86  |   target_type = "ip"
		87  |   protocol    = "HTTP"
		88  |   vpc_id      = data.aws_vpc.shared.id
		89  |   port        = "80"
		90  | 
		91  |   health_check {
		92  |     enabled             = true
		93  |     path                = "/nimbus/CtrlWebIsapi.dll"
		94  |     interval            = 30
		95  |     protocol            = "HTTP"
		96  |     port                = 80
		97  |     timeout             = 5
		98  |     healthy_threshold   = 5
		99  |     unhealthy_threshold = 2
		100 |     matcher             = "200"
		101 |   }
		102 | 
		103 |   tags = local.tags
		104 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.lb_tg_analytics
	File: /alb.tf:106-126

		106 | resource "aws_lb_target_group" "lb_tg_analytics" {
		107 |   name        = "tg-analytics"
		108 |   target_type = "ip"
		109 |   protocol    = "HTTP"
		110 |   vpc_id      = data.aws_vpc.shared.id
		111 |   port        = "80"
		112 | 
		113 |   health_check {
		114 |     enabled             = true
		115 |     path                = "/"
		116 |     interval            = 30
		117 |     protocol            = "HTTP"
		118 |     port                = 80
		119 |     timeout             = 5
		120 |     healthy_threshold   = 5
		121 |     unhealthy_threshold = 2
		122 |     matcher             = "200"
		123 |   }
		124 | 
		125 |   tags = local.tags
		126 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.kms_policy
	File: /data.tf:8-83
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.PowerBI_server.aws_instance.this
	File: /ec2-instance-module/main.tf:6-133
	Calling File: /main.tf:569-595
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.win2016_multiple.aws_instance.this
	File: /ec2-instance-module/main.tf:6-133
	Calling File: /main.tf:214-241
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.win2019_SQL_multiple.aws_instance.this
	File: /ec2-instance-module/main.tf:6-133
	Calling File: /main.tf:367-395
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: module.win2022_STD_multiple.aws_instance.this
	File: /ec2-instance-module/main.tf:6-133
	Calling File: /main.tf:501-527
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy.citrix_adc_instance_policy
	File: /policy.tf:24-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289

		24 | resource "aws_iam_policy" "citrix_adc_instance_policy" {
		25 |   name        = "citrix_adc_instance_policy"
		26 |   path        = "/"
		27 |   description = "Policy for Citrix NetScaler instance"
		28 |   policy = jsonencode({
		29 |     "Version" : "2012-10-17",
		30 |     "Statement" : [
		31 |       {
		32 |         "Effect" : "Allow",
		33 |         "Action" : [
		34 |           "ec2:DescribeInstances",
		35 |           "ec2:DescribeNetworkInterfaces",
		36 |           "ec2:DetachNetworkInterface",
		37 |           "ec2:AttachNetworkInterface",
		38 |           "ec2:StartInstances",
		39 |           "ec2:StopInstances",
		40 |           "ec2:RebootInstances",
		41 |           "autoscaling:*",
		42 |           "sns:*",
		43 |           "sqs:*",
		44 |           "iam:SimulatePrincipalPolicy",
		45 |           "iam:GetRole"
		46 |         ],
		47 |         "Resource" : "*"
		48 |       }
		49 |     ]
		50 |   })
		51 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.citrix_adc_instance_policy
	File: /policy.tf:24-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_policy" "citrix_adc_instance_policy" {
		25 |   name        = "citrix_adc_instance_policy"
		26 |   path        = "/"
		27 |   description = "Policy for Citrix NetScaler instance"
		28 |   policy = jsonencode({
		29 |     "Version" : "2012-10-17",
		30 |     "Statement" : [
		31 |       {
		32 |         "Effect" : "Allow",
		33 |         "Action" : [
		34 |           "ec2:DescribeInstances",
		35 |           "ec2:DescribeNetworkInterfaces",
		36 |           "ec2:DetachNetworkInterface",
		37 |           "ec2:AttachNetworkInterface",
		38 |           "ec2:StartInstances",
		39 |           "ec2:StopInstances",
		40 |           "ec2:RebootInstances",
		41 |           "autoscaling:*",
		42 |           "sns:*",
		43 |           "sqs:*",
		44 |           "iam:SimulatePrincipalPolicy",
		45 |           "iam:GetRole"
		46 |         ],
		47 |         "Resource" : "*"
		48 |       }
		49 |     ]
		50 |   })
		51 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.citrix_adc_instance_policy
	File: /policy.tf:24-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_policy" "citrix_adc_instance_policy" {
		25 |   name        = "citrix_adc_instance_policy"
		26 |   path        = "/"
		27 |   description = "Policy for Citrix NetScaler instance"
		28 |   policy = jsonencode({
		29 |     "Version" : "2012-10-17",
		30 |     "Statement" : [
		31 |       {
		32 |         "Effect" : "Allow",
		33 |         "Action" : [
		34 |           "ec2:DescribeInstances",
		35 |           "ec2:DescribeNetworkInterfaces",
		36 |           "ec2:DetachNetworkInterface",
		37 |           "ec2:AttachNetworkInterface",
		38 |           "ec2:StartInstances",
		39 |           "ec2:StopInstances",
		40 |           "ec2:RebootInstances",
		41 |           "autoscaling:*",
		42 |           "sns:*",
		43 |           "sqs:*",
		44 |           "iam:SimulatePrincipalPolicy",
		45 |           "iam:GetRole"
		46 |         ],
		47 |         "Resource" : "*"
		48 |       }
		49 |     ]
		50 |   })
		51 | }

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.bucket-config
	File: /s3-awslogs.tf:28-60
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		28 | resource "aws_s3_bucket_lifecycle_configuration" "bucket-config" {
		29 |   bucket = aws_s3_bucket.this.bucket
		30 | 
		31 |   rule {
		32 |     id = "log_deletion"
		33 | 
		34 |     expiration {
		35 |       days = 90
		36 |     }
		37 | 
		38 |     filter {
		39 |       and {
		40 |         prefix = "AWSLogs/${data.aws_caller_identity.current.account_id}/"
		41 | 
		42 |         tags = {
		43 |           rule      = "log-deletion"
		44 |           autoclean = "true"
		45 |         }
		46 |       }
		47 |     }
		48 |     status = "Enabled"
		49 | 
		50 |     transition {
		51 |       days          = 30
		52 |       storage_class = "STANDARD_IA"
		53 |     }
		54 | 
		55 |     transition {
		56 |       days          = 60
		57 |       storage_class = "GLACIER"
		58 |     }
		59 |   }
		60 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-ukcloud-replica
	File: /s3-ukcloud-replica.tf:1-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: equip-s3-bucket
	File: /s3.tf:1-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.azures_ingres
	File: /securitygroup.tf:218-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		218 | resource "aws_security_group" "azures_ingres" {
		219 |   name        = lower(format("secg-%s-%s-azures-ingress", local.application_name, local.environment))
		220 |   description = "Security Group for azures ingress connections"
		221 |   vpc_id      = data.aws_vpc.shared.id
		222 |   tags = merge(local.tags,
		223 |     { Name = lower(format("secg-%s-%s-azures-ingress", local.application_name, local.environment)) }
		224 |   )
		225 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.aws_citrix_security_group
	File: /securitygroup.tf:322-329
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		322 | resource "aws_security_group" "aws_citrix_security_group" {
		323 |   name        = "aws_citrix_security_group"
		324 |   description = "Security Group for AWS_Citrix "
		325 |   vpc_id      = data.aws_vpc.shared.id
		326 |   tags = merge(local.tags,
		327 |     { Name = lower(format("secg-%s-%s-citrix-host", local.application_name, local.environment)) }
		328 |   )
		329 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.aws_equip_security_group
	File: /securitygroup.tf:445-452
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		445 | resource "aws_security_group" "aws_equip_security_group" {
		446 |   name        = lower(format("secg-%s-%s-equip", local.application_name, local.environment))
		447 |   description = "Security Group for AWS_Equip"
		448 |   vpc_id      = data.aws_vpc.shared.id
		449 |   tags = merge(local.tags,
		450 |     { Name = lower(format("secg-%s-%s-equip", local.application_name, local.environment)) }
		451 |   )
		452 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.aws_spotfire_security_group
	File: /securitygroup.tf:580-587
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		580 | resource "aws_security_group" "aws_spotfire_security_group" {
		581 |   name        = "aws_spotfire_security_group"
		582 |   description = "Security Group for AWS_SpotFire"
		583 |   vpc_id      = data.aws_vpc.shared.id
		584 |   tags = merge(local.tags,
		585 |     { Name = lower(format("secg-%s-%s-spotfire", local.application_name, local.environment)) }
		586 |   )
		587 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.aws_domain_security_group
	File: /securitygroup.tf:748-755
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		748 | resource "aws_security_group" "aws_domain_security_group" {
		749 |   name        = "aws_domain_security_group"
		750 |   description = "Security Group for AWS_Domain"
		751 |   vpc_id      = data.aws_vpc.shared.id
		752 |   tags = merge(local.tags,
		753 |     { Name = lower(format("secg-%s-%s-domain-controller", local.application_name, local.environment)) }
		754 |   )
		755 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }

Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF"
	FAILED for resource: aws_lb.citrix_alb
	File: /alb.tf:15-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf

		15 | resource "aws_lb" "citrix_alb" {
		16 | 
		17 |   name               = format("alb-%s-%s-citrix", local.application_name, local.environment)
		18 |   load_balancer_type = "application"
		19 |   security_groups    = [aws_security_group.alb_sg.id]
		20 |   subnets            = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id]
		21 | 
		22 |   enable_deletion_protection = true
		23 |   drop_invalid_header_fields = true
		24 |   enable_waf_fail_open       = true
		25 |   ip_address_type            = "ipv4"
		26 | 
		27 |   tags = merge(local.tags,
		28 |     { Name = format("alb-%s-%s-citrix", local.application_name, local.environment)
		29 |       Role = "Equip public load balancer"
		30 |     }
		31 |   )
		32 | 
		33 |   access_logs {
		34 |     bucket  = aws_s3_bucket.this.id
		35 |     enabled = "true"
		36 |   }
		37 | 
		38 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.this
	File: /s3-awslogs.tf:11-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		11 | resource "aws_s3_bucket" "this" {
		12 |   bucket_prefix = "moj-alb-citrix-access-logs-bucket"
		13 | 
		14 |   tags = {
		15 |     Environment = "Development"
		16 |     Name        = "S3 Access Logs for ALB"
		17 |   }
		18 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/equip

*****************************

Running tflint in terraform/environments/equip
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/equip/instance_userdata.tf line 1:
   1: data "template_file" "windows-userdata" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "tls" in `required_providers` (terraform_required_providers)

  on terraform/environments/equip/main.tf line 19:
  19: resource "tls_private_key" "key" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/equip/s3-awslogs.tf line 3:
   3: resource "random_string" "bucket_suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/equip

*****************************

Running Trivy in terraform/environments/equip
2024-10-10T09:10:18Z	INFO	[vulndb] Need to update DB
2024-10-10T09:10:18Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-10T09:10:18Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-10T09:10:18Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 796.169µs, allowed: 44000/minute\n\n"
2024-10-10T09:10:18Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1