You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/disable_alarms_lambda
Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-14T12:48:23Z INFO [vulndb] Need to update DB
2024-10-14T12:48:23Z INFO [vulndb] Downloading vulnerability DB...
2024-10-14T12:48:23Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T12:48:26Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T12:48:26Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T12:48:26Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T12:48:26Z INFO [misconfig] Need to update the built-in checks
2024-10-14T12:48:26Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-14T12:48:26Z INFO [secret] Secret scanning is enabled
2024-10-14T12:48:26Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T12:48:26Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T12:48:27Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-14T12:48:27Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-10-14T12:48:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_address" value="cty.NilVal"
2024-10-14T12:48:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.target_ip" value="cty.NilVal"
2024-10-14T12:48:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_address" value="cty.NilVal"
2024-10-14T12:48:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.target_ip" value="cty.NilVal"
2024-10-14T12:48:28Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open /github/workspace/terraform/environments/delius-mis/modules/modules/disable_alarms_lambda: no such file or directory"
2024-10-14T12:48:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T12:48:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-14T12:48:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T12:48:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:48:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:48:37Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:48:37Z INFO Number of language-specific files num=0
2024-10-14T12:48:37Z INFO Detected config files num=17
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.
Running Trivy in terraform/modules/disable_alarms_lambda
2024-10-14T12:48:37Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T12:48:37Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T12:48:37Z INFO [secret] Secret scanning is enabled
2024-10-14T12:48:37Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T12:48:37Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T12:48:38Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-14T12:48:38Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="lambda_function_name"
2024-10-14T12:48:38Z INFO Number of language-specific files num=0
2024-10-14T12:48:38Z INFO Detected config files num=2
trivy_exitcode=1
</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/disable_alarms_lambda
*****************************
Running Checkov in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-14 12:48:41,195 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
2024-10-14 12:48:41,195 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 12:48:41,195 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-10-14 12:48:41,195 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-14 12:48:41,466 [MainThread ] [WARNI] Module /github/workspace/terraform/environments/delius-mis/modules/modules/disable_alarms_lambda:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'>
2024-10-14 12:48:41,466 [MainThread ] [WARNI] Unable to load module - source: /github/workspace/terraform/environments/delius-mis/modules/modules/disable_alarms_lambda, version: latest, error: /github/workspace/terraform/environments/delius-mis/modules/modules/disable_alarms_lambda
terraform scan results:
Passed checks: 828, Failed checks: 112, Skipped checks: 2
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_boe.instance
File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
Calling File: /databases.tf:94-145
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
23 | module "instance" {
24 | source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
25 |
26 | providers = {
27 | aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
28 | }
29 |
30 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
31 |
32 | ami_name = data.aws_ami.oracle_db.name
33 | ami_owner = var.db_ami.owner
34 | instance = local.instance_config
35 | ebs_kms_key_id = var.account_config.kms_keys.general_shared
36 | ebs_volumes_copy_all_from_ami = true
37 | ebs_volume_config = var.ebs_volume_config
38 | ebs_volumes = var.ebs_volumes
39 | ebs_volume_tags = var.tags
40 | # route53_records = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
41 | route53_records = {
42 | create_internal_record = false
43 | create_external_record = false
44 | }
45 | iam_resource_names_prefix = "instance"
46 | instance_profile_policies = var.instance_profile_policies
47 |
48 | user_data_raw = base64encode(var.user_data)
49 |
50 | business_unit = var.account_info.business_unit
51 | application_name = var.account_info.application_name
52 | environment = var.account_info.mp_environment
53 | region = "eu-west-2"
54 | availability_zone = var.availability_zone
55 | subnet_id = var.subnet_id
56 | tags = merge(var.tags,
57 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
58 | { server-type = var.server_type_tag },
59 | { database = local.database_tag },
60 | var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
61 | )
62 |
63 | cloudwatch_metric_alarms = merge(
64 | local.cloudwatch_metric_alarms.ec2
65 | )
66 | }
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
FAILED for resource: module.oracle_db_boe.instance
File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
Calling File: /databases.tf:94-145
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag
23 | module "instance" {
24 | source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
25 |
26 | providers = {
27 | aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
28 | }
29 |
30 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
31 |
32 | ami_name = data.aws_ami.oracle_db.name
33 | ami_owner = var.db_ami.owner
34 | instance = local.instance_config
35 | ebs_kms_key_id = var.account_config.kms_keys.general_shared
36 | ebs_volumes_copy_all_from_ami = true
37 | ebs_volume_config = var.ebs_volume_config
38 | ebs_volumes = var.ebs_volumes
39 | ebs_volume_tags = var.tags
40 | # route53_records = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
41 | route53_records = {
42 | create_internal_record = false
43 | create_external_record = false
44 | }
45 | iam_resource_names_prefix = "instance"
46 | instance_profile_policies = var.instance_profile_policies
47 |
48 | user_data_raw = base64encode(var.user_data)
49 |
50 | business_unit = var.account_info.business_unit
51 | application_name = var.account_info.application_name
52 | environment = var.account_info.mp_environment
53 | region = "eu-west-2"
54 | availability_zone = var.availability_zone
55 | subnet_id = var.subnet_id
56 | tags = merge(var.tags,
57 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
58 | { server-type = var.server_type_tag },
59 | { database = local.database_tag },
60 | var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
61 | )
62 |
63 | cloudwatch_metric_alarms = merge(
64 | local.cloudwatch_metric_alarms.ec2
65 | )
66 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_dsd.instance
File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
Calling File: /databases.tf:39-91
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
23 | module "instance" {
24 | source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
25 |
26 | providers = {
27 | aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
28 | }
29 |
30 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
31 |
32 | ami_name = data.aws_ami.oracle_db.name
33 | ami_owner = var.db_ami.owner
34 | instance = local.instance_config
35 | ebs_kms_key_id = var.account_config.kms_keys.general_shared
36 | ebs_volumes_copy_all_from_ami = true
37 | ebs_volume_config = var.ebs_volume_config
38 | ebs_volumes = var.ebs_volumes
39 | ebs_volume_tags = var.tags
40 | # route53_records = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
41 | route53_records = {
42 | create_internal_record = false
43 | create_external_record = false
44 | }
45 | iam_resource_names_prefix = "instance"
46 | instance_profile_policies = var.instance_profile_policies
47 |
48 | user_data_raw = base64encode(var.user_data)
49 |
50 | business_unit = var.account_info.business_unit
51 | application_name = var.account_info.application_name
52 | environment = var.account_info.mp_environment
53 | region = "eu-west-2"
54 | availability_zone = var.availability_zone
55 | subnet_id = var.subnet_id
56 | tags = merge(var.tags,
57 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
58 | { server-type = var.server_type_tag },
59 | { database = local.database_tag },
60 | var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
61 | )
62 |
63 | cloudwatch_metric_alarms = merge(
64 | local.cloudwatch_metric_alarms.ec2
65 | )
66 | }
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
FAILED for resource: module.oracle_db_dsd.instance
File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
Calling File: /databases.tf:39-91
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag
23 | module "instance" {
24 | source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
25 |
26 | providers = {
27 | aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
28 | }
29 |
30 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
31 |
32 | ami_name = data.aws_ami.oracle_db.name
33 | ami_owner = var.db_ami.owner
34 | instance = local.instance_config
35 | ebs_kms_key_id = var.account_config.kms_keys.general_shared
36 | ebs_volumes_copy_all_from_ami = true
37 | ebs_volume_config = var.ebs_volume_config
38 | ebs_volumes = var.ebs_volumes
39 | ebs_volume_tags = var.tags
40 | # route53_records = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
41 | route53_records = {
42 | create_internal_record = false
43 | create_external_record = false
44 | }
45 | iam_resource_names_prefix = "instance"
46 | instance_profile_policies = var.instance_profile_policies
47 |
48 | user_data_raw = base64encode(var.user_data)
49 |
50 | business_unit = var.account_info.business_unit
51 | application_name = var.account_info.application_name
52 | environment = var.account_info.mp_environment
53 | region = "eu-west-2"
54 | availability_zone = var.availability_zone
55 | subnet_id = var.subnet_id
56 | tags = merge(var.tags,
57 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
58 | { server-type = var.server_type_tag },
59 | { database = local.database_tag },
60 | var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
61 | )
62 |
63 | cloudwatch_metric_alarms = merge(
64 | local.cloudwatch_metric_alarms.ec2
65 | )
66 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_mis.instance
File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
Calling File: /databases.tf:148-199
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
23 | module "instance" {
24 | source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
25 |
26 | providers = {
27 | aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
28 | }
29 |
30 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
31 |
32 | ami_name = data.aws_ami.oracle_db.name
33 | ami_owner = var.db_ami.owner
34 | instance = local.instance_config
35 | ebs_kms_key_id = var.account_config.kms_keys.general_shared
36 | ebs_volumes_copy_all_from_ami = true
37 | ebs_volume_config = var.ebs_volume_config
38 | ebs_volumes = var.ebs_volumes
39 | ebs_volume_tags = var.tags
40 | # route53_records = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
41 | route53_records = {
42 | create_internal_record = false
43 | create_external_record = false
44 | }
45 | iam_resource_names_prefix = "instance"
46 | instance_profile_policies = var.instance_profile_policies
47 |
48 | user_data_raw = base64encode(var.user_data)
49 |
50 | business_unit = var.account_info.business_unit
51 | application_name = var.account_info.application_name
52 | environment = var.account_info.mp_environment
53 | region = "eu-west-2"
54 | availability_zone = var.availability_zone
55 | subnet_id = var.subnet_id
56 | tags = merge(var.tags,
57 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
58 | { server-type = var.server_type_tag },
59 | { database = local.database_tag },
60 | var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
61 | )
62 |
63 | cloudwatch_metric_alarms = merge(
64 | local.cloudwatch_metric_alarms.ec2
65 | )
66 | }
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
FAILED for resource: module.oracle_db_mis.instance
File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
Calling File: /databases.tf:148-199
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag
23 | module "instance" {
24 | source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
25 |
26 | providers = {
27 | aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
28 | }
29 |
30 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
31 |
32 | ami_name = data.aws_ami.oracle_db.name
33 | ami_owner = var.db_ami.owner
34 | instance = local.instance_config
35 | ebs_kms_key_id = var.account_config.kms_keys.general_shared
36 | ebs_volumes_copy_all_from_ami = true
37 | ebs_volume_config = var.ebs_volume_config
38 | ebs_volumes = var.ebs_volumes
39 | ebs_volume_tags = var.tags
40 | # route53_records = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
41 | route53_records = {
42 | create_internal_record = false
43 | create_external_record = false
44 | }
45 | iam_resource_names_prefix = "instance"
46 | instance_profile_policies = var.instance_profile_policies
47 |
48 | user_data_raw = base64encode(var.user_data)
49 |
50 | business_unit = var.account_info.business_unit
51 | application_name = var.account_info.application_name
52 | environment = var.account_info.mp_environment
53 | region = "eu-west-2"
54 | availability_zone = var.availability_zone
55 | subnet_id = var.subnet_id
56 | tags = merge(var.tags,
57 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
58 | { server-type = var.server_type_tag },
59 | { database = local.database_tag },
60 | var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
61 | )
62 |
63 | cloudwatch_metric_alarms = merge(
64 | local.cloudwatch_metric_alarms.ec2
65 | )
66 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
91 | statement {
92 | sid = "AllowAccessToSsmParameterStore"
93 | effect = "Allow"
94 | actions = [
95 | "ssm:PutParameter"
96 | ]
97 | resources = ["*"]
98 | }
99 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
91 | statement {
92 | sid = "AllowAccessToSsmParameterStore"
93 | effect = "Allow"
94 | actions = [
95 | "ssm:PutParameter"
96 | ]
97 | resources = ["*"]
98 | }
99 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracledb_backups
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
22 | module "s3_bucket_oracledb_backups" {
23 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
24 | bucket_name = local.oracle_backup_bucket_prefix
25 | versioning_enabled = false
26 | ownership_controls = "BucketOwnerEnforced"
27 | replication_enabled = false
28 | custom_kms_key = var.account_config.kms_keys.general_shared
29 | bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
30 | "{}"
31 | ])
32 |
33 | providers = {
34 | aws.bucket-replication = aws.bucket-replication
35 | }
36 |
37 | lifecycle_rule = [
38 | {
39 | id = "main"
40 | enabled = "Enabled"
41 | prefix = ""
42 |
43 | tags = {
44 | rule = "log"
45 | autoclean = "true"
46 | }
47 |
48 | transition = [
49 | {
50 | days = 90
51 | storage_class = "STANDARD_IA"
52 | }
53 | ]
54 |
55 | expiration = {
56 | days = 365
57 | }
58 | }
59 | ]
60 |
61 | tags = var.tags
62 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracle_statistics
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
334 | module "s3_bucket_oracle_statistics" {
335 | count = var.deploy_oracle_stats ? 1 : 0
336 |
337 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
338 | bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
339 | versioning_enabled = false
340 | ownership_controls = "BucketOwnerEnforced"
341 | replication_enabled = false
342 | custom_kms_key = var.account_config.kms_keys.general_shared
343 | bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
344 | "{}"
345 | ])
346 | providers = {
347 | aws.bucket-replication = aws.bucket-replication
348 | }
349 |
350 | lifecycle_rule = [
351 | {
352 | id = "main"
353 | enabled = "Enabled"
354 | prefix = ""
355 |
356 | tags = {
357 | rule = "log"
358 | autoclean = "true"
359 | }
360 |
361 | transition = [
362 | {
363 | days = 90
364 | storage_class = "STANDARD_IA"
365 | }
366 | ]
367 |
368 | expiration = {
369 | days = 365
370 | }
371 | }
372 | ]
373 |
374 | tags = var.tags
375 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
15 | data "aws_iam_policy_document" "database_dba_passwords" {
16 | statement {
17 | sid = "OemAWSAccountToReadTheSecret"
18 | effect = "Allow"
19 | principals {
20 | type = "AWS"
21 | identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
22 | }
23 | actions = ["secretsmanager:GetSecretValue"]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration
15 | data "aws_iam_policy_document" "database_dba_passwords" {
16 | statement {
17 | sid = "OemAWSAccountToReadTheSecret"
18 | effect = "Allow"
19 | principals {
20 | type = "AWS"
21 | identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
22 | }
23 | actions = ["secretsmanager:GetSecretValue"]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
77 | security_group_id = aws_security_group.db_ec2.id
78 | description = "bastion to testing db"
79 | from_port = 22
80 | to_port = 22
81 | ip_protocol = "tcp"
82 | referenced_security_group_id = var.bastion_sg_id
83 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
86 | ip_protocol = "tcp"
87 | from_port = local.db_port
88 | to_port = local.db_tcps_port
89 | cidr_ipv4 = var.account_config.shared_vpc_cidr
90 | security_group_id = aws_security_group.db_ec2.id
91 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
106 | ip_protocol = "tcp"
107 | from_port = 3872
108 | to_port = 3872
109 | cidr_ipv4 = var.account_config.shared_vpc_cidr
110 | security_group_id = aws_security_group.db_ec2.id
111 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
114 | ip_protocol = "tcp"
115 | from_port = 4903
116 | to_port = 4903
117 | cidr_ipv4 = var.account_config.shared_vpc_cidr
118 | security_group_id = aws_security_group.db_ec2.id
119 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
122 | ip_protocol = "tcp"
123 | from_port = 7803
124 | to_port = 7803
125 | cidr_ipv4 = var.account_config.shared_vpc_cidr
126 |
127 | security_group_id = aws_security_group.db_ec2.id
128 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_ssh_keys
File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
2 | module "s3_bucket_ssh_keys" {
3 |
4 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
5 |
6 | bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
7 |
8 | versioning_enabled = false
9 | ownership_controls = "BucketOwnerEnforced"
10 | replication_enabled = false
11 | custom_kms_key = var.account_config.kms_keys.general_shared
12 |
13 | providers = {
14 | aws.bucket-replication = aws.bucket-replication
15 | }
16 |
17 | lifecycle_rule = [
18 | {
19 | id = "main"
20 | enabled = "Enabled"
21 | prefix = ""
22 |
23 | tags = {
24 | rule = "log"
25 | autoclean = "true"
26 | }
27 |
28 | noncurrent_version_transition = [
29 | {
30 | days = 90
31 | storage_class = "STANDARD_IA"
32 | }, {
33 | days = 365
34 | storage_class = "GLACIER"
35 | }
36 | ]
37 |
38 | noncurrent_version_expiration = {
39 | days = 730
40 | }
41 | }
42 | ]
43 |
44 | tags = var.tags
45 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_ssm_parameter.rman_password
File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337
1 | resource "aws_ssm_parameter" "rman_password" {
2 | name = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
3 | type = "SecureString"
4 | value = "REPLACE"
5 | lifecycle {
6 | ignore_changes = [
7 | value,
8 | ]
9 | }
10 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bcs_instance
File: /bcs.tf:6-61
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
FAILED for resource: bcs_instance
File: /bcs.tf:6-61
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.bcs
File: /bcs.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
1 | resource "aws_security_group" "bcs" {
2 | name_prefix = "${var.env_name}-bcs"
3 | vpc_id = var.account_info.vpc_id
4 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bps_instance
File: /bps.tf:6-61
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
FAILED for resource: bps_instance
File: /bps.tf:6-61
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.bps
File: /bps.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
1 | resource "aws_security_group" "bps" {
2 | name_prefix = "${var.env_name}-bps"
3 | vpc_id = var.account_info.vpc_id
4 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: bws_instance
File: /bws.tf:6-61
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
FAILED for resource: bws_instance
File: /bws.tf:6-61
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.bws
File: /bws.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
1 | resource "aws_security_group" "bws" {
2 | name_prefix = "${var.env_name}-bws"
3 | vpc_id = var.account_info.vpc_id
4 | }
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
FAILED for resource: aws_secretsmanager_secret.ad_admin_password
File: /directory_service.tf:29-39
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms
29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
30 | name = "${var.app_name}-${var.env_name}-ad-admin-password"
31 | recovery_window_in_days = 0
32 |
33 | tags = merge(
34 | var.tags,
35 | {
36 | Name = "${var.app_name}-${var.env_name}-ad-admin-password"
37 | }
38 | )
39 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.active_directory
File: /directory_service.tf:49-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
49 | resource "aws_cloudwatch_log_group" "active_directory" {
50 | name = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
51 | retention_in_days = 14
52 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.active_directory
File: /directory_service.tf:49-52
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
49 | resource "aws_cloudwatch_log_group" "active_directory" {
50 | name = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
51 | retention_in_days = 14
52 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: dis_instance
File: /dis.tf:6-61
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
FAILED for resource: dis_instance
File: /dis.tf:6-61
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_security_group.dis
File: /dis.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
1 | resource "aws_security_group" "dis" {
2 | name_prefix = "${var.env_name}-dis"
3 | vpc_id = var.account_info.vpc_id
4 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: pagerduty_core_alerts
File: /pagerduty.tf:12-21
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
12 | module "pagerduty_core_alerts" {
13 |
14 | depends_on = [
15 | aws_sns_topic.delius_mis_alarms
16 | ]
17 |
18 | source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
19 | sns_topics = [aws_sns_topic.delius_mis_alarms.name]
20 | pagerduty_integration_key = var.pagerduty_integration_key
21 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
FAILED for resource: aws_sns_topic.delius_mis_alarms
File: /pagerduty.tf:1-10
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15
1 | resource "aws_sns_topic" "delius_mis_alarms" {
2 | name = "${var.app_name}-${var.env_name}-sns-topic"
3 |
4 | tags = merge(
5 | var.tags,
6 | {
7 | Name = "${var.app_name}-${var.env_name}-sns-topic"
8 | }
9 | )
10 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_ingress_rule.icmp
File: /sg_legacy.tf:8-14
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
8 | resource "aws_vpc_security_group_ingress_rule" "icmp" {
9 | security_group_id = aws_security_group.legacy.id
10 | cidr_ipv4 = var.environment_config.legacy_counterpart_vpc_cidr
11 | ip_protocol = "icmp"
12 | from_port = -1
13 | to_port = -1
14 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.icmp
File: /sg_legacy.tf:16-22
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
16 | resource "aws_vpc_security_group_egress_rule" "icmp" {
17 | security_group_id = aws_security_group.legacy.id
18 | cidr_ipv4 = var.environment_config.legacy_counterpart_vpc_cidr
19 | ip_protocol = "icmp"
20 | from_port = -1
21 | to_port = -1
22 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.http_s
File: /sg_shared.tf:8-16
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
8 | resource "aws_vpc_security_group_egress_rule" "http_s" {
9 | for_each = toset(["80", "443"])
10 |
11 | security_group_id = aws_security_group.mis_ec2_shared.id
12 | cidr_ipv4 = "0.0.0.0/0"
13 | ip_protocol = "tcp"
14 | from_port = each.key
15 | to_port = each.key
16 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_egress_rule.fleet_manager
File: /sg_shared.tf:18-24
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
18 | resource "aws_vpc_security_group_egress_rule" "fleet_manager" {
19 | security_group_id = aws_security_group.mis_ec2_shared.id
20 | cidr_ipv4 = "0.0.0.0/0"
21 | ip_protocol = "tcp"
22 | from_port = 3389
23 | to_port = 3389
24 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
File: /sg_shared.tf:26-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
26 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
27 | security_group_id = aws_security_group.mis_ec2_shared.id
28 | cidr_ipv4 = "0.0.0.0/0"
29 | ip_protocol = "tcp"
30 | from_port = 3389
31 | to_port = 3389
32 | }
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
File: /sg_shared.tf:26-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2
26 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
27 | security_group_id = aws_security_group.mis_ec2_shared.id
28 | cidr_ipv4 = "0.0.0.0/0"
29 | ip_protocol = "tcp"
30 | from_port = 3389
31 | to_port = 3389
32 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: s3_bucket_ssm_sessions
File: /ssm.tf:4-16
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
4 | module "s3_bucket_ssm_sessions" {
5 |
6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
7 |
8 | bucket_prefix = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
9 | versioning_enabled = false
10 |
11 | providers = {
12 | aws.bucket-replication = aws
13 | }
14 |
15 | tags = var.tags
16 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
91 | statement {
92 | sid = "AllowAccessToSsmParameterStore"
93 | effect = "Allow"
94 | actions = [
95 | "ssm:PutParameter"
96 | ]
97 | resources = ["*"]
98 | }
99 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
91 | statement {
92 | sid = "AllowAccessToSsmParameterStore"
93 | effect = "Allow"
94 | actions = [
95 | "ssm:PutParameter"
96 | ]
97 | resources = ["*"]
98 | }
99 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracledb_backups
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
22 | module "s3_bucket_oracledb_backups" {
23 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
24 | bucket_name = local.oracle_backup_bucket_prefix
25 | versioning_enabled = false
26 | ownership_controls = "BucketOwnerEnforced"
27 | replication_enabled = false
28 | custom_kms_key = var.account_config.kms_keys.general_shared
29 | bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
30 | "{}"
31 | ])
32 |
33 | providers = {
34 | aws.bucket-replication = aws.bucket-replication
35 | }
36 |
37 | lifecycle_rule = [
38 | {
39 | id = "main"
40 | enabled = "Enabled"
41 | prefix = ""
42 |
43 | tags = {
44 | rule = "log"
45 | autoclean = "true"
46 | }
47 |
48 | transition = [
49 | {
50 | days = 90
51 | storage_class = "STANDARD_IA"
52 | }
53 | ]
54 |
55 | expiration = {
56 | days = 365
57 | }
58 | }
59 | ]
60 |
61 | tags = var.tags
62 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracle_statistics
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
334 | module "s3_bucket_oracle_statistics" {
335 | count = var.deploy_oracle_stats ? 1 : 0
336 |
337 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
338 | bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
339 | versioning_enabled = false
340 | ownership_controls = "BucketOwnerEnforced"
341 | replication_enabled = false
342 | custom_kms_key = var.account_config.kms_keys.general_shared
343 | bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
344 | "{}"
345 | ])
346 | providers = {
347 | aws.bucket-replication = aws.bucket-replication
348 | }
349 |
350 | lifecycle_rule = [
351 | {
352 | id = "main"
353 | enabled = "Enabled"
354 | prefix = ""
355 |
356 | tags = {
357 | rule = "log"
358 | autoclean = "true"
359 | }
360 |
361 | transition = [
362 | {
363 | days = 90
364 | storage_class = "STANDARD_IA"
365 | }
366 | ]
367 |
368 | expiration = {
369 | days = 365
370 | }
371 | }
372 | ]
373 |
374 | tags = var.tags
375 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
15 | data "aws_iam_policy_document" "database_dba_passwords" {
16 | statement {
17 | sid = "OemAWSAccountToReadTheSecret"
18 | effect = "Allow"
19 | principals {
20 | type = "AWS"
21 | identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
22 | }
23 | actions = ["secretsmanager:GetSecretValue"]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration
15 | data "aws_iam_policy_document" "database_dba_passwords" {
16 | statement {
17 | sid = "OemAWSAccountToReadTheSecret"
18 | effect = "Allow"
19 | principals {
20 | type = "AWS"
21 | identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
22 | }
23 | actions = ["secretsmanager:GetSecretValue"]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
77 | security_group_id = aws_security_group.db_ec2.id
78 | description = "bastion to testing db"
79 | from_port = 22
80 | to_port = 22
81 | ip_protocol = "tcp"
82 | referenced_security_group_id = var.bastion_sg_id
83 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
86 | ip_protocol = "tcp"
87 | from_port = local.db_port
88 | to_port = local.db_tcps_port
89 | cidr_ipv4 = var.account_config.shared_vpc_cidr
90 | security_group_id = aws_security_group.db_ec2.id
91 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
106 | ip_protocol = "tcp"
107 | from_port = 3872
108 | to_port = 3872
109 | cidr_ipv4 = var.account_config.shared_vpc_cidr
110 | security_group_id = aws_security_group.db_ec2.id
111 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
114 | ip_protocol = "tcp"
115 | from_port = 4903
116 | to_port = 4903
117 | cidr_ipv4 = var.account_config.shared_vpc_cidr
118 | security_group_id = aws_security_group.db_ec2.id
119 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
122 | ip_protocol = "tcp"
123 | from_port = 7803
124 | to_port = 7803
125 | cidr_ipv4 = var.account_config.shared_vpc_cidr
126 |
127 | security_group_id = aws_security_group.db_ec2.id
128 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_ssh_keys
File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
2 | module "s3_bucket_ssh_keys" {
3 |
4 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
5 |
6 | bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
7 |
8 | versioning_enabled = false
9 | ownership_controls = "BucketOwnerEnforced"
10 | replication_enabled = false
11 | custom_kms_key = var.account_config.kms_keys.general_shared
12 |
13 | providers = {
14 | aws.bucket-replication = aws.bucket-replication
15 | }
16 |
17 | lifecycle_rule = [
18 | {
19 | id = "main"
20 | enabled = "Enabled"
21 | prefix = ""
22 |
23 | tags = {
24 | rule = "log"
25 | autoclean = "true"
26 | }
27 |
28 | noncurrent_version_transition = [
29 | {
30 | days = 90
31 | storage_class = "STANDARD_IA"
32 | }, {
33 | days = 365
34 | storage_class = "GLACIER"
35 | }
36 | ]
37 |
38 | noncurrent_version_expiration = {
39 | days = 730
40 | }
41 | }
42 | ]
43 |
44 | tags = var.tags
45 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_ssm_parameter.rman_password
File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337
1 | resource "aws_ssm_parameter" "rman_password" {
2 | name = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
3 | type = "SecureString"
4 | value = "REPLACE"
5 | lifecycle {
6 | ignore_changes = [
7 | value,
8 | ]
9 | }
10 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
91 | statement {
92 | sid = "AllowAccessToSsmParameterStore"
93 | effect = "Allow"
94 | actions = [
95 | "ssm:PutParameter"
96 | ]
97 | resources = ["*"]
98 | }
99 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
91 | statement {
92 | sid = "AllowAccessToSsmParameterStore"
93 | effect = "Allow"
94 | actions = [
95 | "ssm:PutParameter"
96 | ]
97 | resources = ["*"]
98 | }
99 | }
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracledb_backups
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
22 | module "s3_bucket_oracledb_backups" {
23 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
24 | bucket_name = local.oracle_backup_bucket_prefix
25 | versioning_enabled = false
26 | ownership_controls = "BucketOwnerEnforced"
27 | replication_enabled = false
28 | custom_kms_key = var.account_config.kms_keys.general_shared
29 | bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
30 | "{}"
31 | ])
32 |
33 | providers = {
34 | aws.bucket-replication = aws.bucket-replication
35 | }
36 |
37 | lifecycle_rule = [
38 | {
39 | id = "main"
40 | enabled = "Enabled"
41 | prefix = ""
42 |
43 | tags = {
44 | rule = "log"
45 | autoclean = "true"
46 | }
47 |
48 | transition = [
49 | {
50 | days = 90
51 | storage_class = "STANDARD_IA"
52 | }
53 | ]
54 |
55 | expiration = {
56 | days = 365
57 | }
58 | }
59 | ]
60 |
61 | tags = var.tags
62 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracle_statistics
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
334 | module "s3_bucket_oracle_statistics" {
335 | count = var.deploy_oracle_stats ? 1 : 0
336 |
337 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
338 | bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
339 | versioning_enabled = false
340 | ownership_controls = "BucketOwnerEnforced"
341 | replication_enabled = false
342 | custom_kms_key = var.account_config.kms_keys.general_shared
343 | bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
344 | "{}"
345 | ])
346 | providers = {
347 | aws.bucket-replication = aws.bucket-replication
348 | }
349 |
350 | lifecycle_rule = [
351 | {
352 | id = "main"
353 | enabled = "Enabled"
354 | prefix = ""
355 |
356 | tags = {
357 | rule = "log"
358 | autoclean = "true"
359 | }
360 |
361 | transition = [
362 | {
363 | days = 90
364 | storage_class = "STANDARD_IA"
365 | }
366 | ]
367 |
368 | expiration = {
369 | days = 365
370 | }
371 | }
372 | ]
373 |
374 | tags = var.tags
375 | }
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356
15 | data "aws_iam_policy_document" "database_dba_passwords" {
16 | statement {
17 | sid = "OemAWSAccountToReadTheSecret"
18 | effect = "Allow"
19 | principals {
20 | type = "AWS"
21 | identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
22 | }
23 | actions = ["secretsmanager:GetSecretValue"]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration
15 | data "aws_iam_policy_document" "database_dba_passwords" {
16 | statement {
17 | sid = "OemAWSAccountToReadTheSecret"
18 | effect = "Allow"
19 | principals {
20 | type = "AWS"
21 | identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
22 | }
23 | actions = ["secretsmanager:GetSecretValue"]
24 | resources = ["*"]
25 | }
26 | }
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security
76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
77 | security_group_id = aws_security_group.db_ec2.id
78 | description = "bastion to testing db"
79 | from_port = 22
80 | to_port = 22
81 | ip_protocol = "tcp"
82 | referenced_security_group_id = var.bastion_sg_id
83 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
86 | ip_protocol = "tcp"
87 | from_port = local.db_port
88 | to_port = local.db_tcps_port
89 | cidr_ipv4 = var.account_config.shared_vpc_cidr
90 | security_group_id = aws_security_group.db_ec2.id
91 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
106 | ip_protocol = "tcp"
107 | from_port = 3872
108 | to_port = 3872
109 | cidr_ipv4 = var.account_config.shared_vpc_cidr
110 | security_group_id = aws_security_group.db_ec2.id
111 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
114 | ip_protocol = "tcp"
115 | from_port = 4903
116 | to_port = 4903
117 | cidr_ipv4 = var.account_config.shared_vpc_cidr
118 | security_group_id = aws_security_group.db_ec2.id
119 | }
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31
121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
122 | ip_protocol = "tcp"
123 | from_port = 7803
124 | to_port = 7803
125 | cidr_ipv4 = var.account_config.shared_vpc_cidr
126 |
127 | security_group_id = aws_security_group.db_ec2.id
128 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_ssh_keys
File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision
2 | module "s3_bucket_ssh_keys" {
3 |
4 | source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
5 |
6 | bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
7 |
8 | versioning_enabled = false
9 | ownership_controls = "BucketOwnerEnforced"
10 | replication_enabled = false
11 | custom_kms_key = var.account_config.kms_keys.general_shared
12 |
13 | providers = {
14 | aws.bucket-replication = aws.bucket-replication
15 | }
16 |
17 | lifecycle_rule = [
18 | {
19 | id = "main"
20 | enabled = "Enabled"
21 | prefix = ""
22 |
23 | tags = {
24 | rule = "log"
25 | autoclean = "true"
26 | }
27 |
28 | noncurrent_version_transition = [
29 | {
30 | days = 90
31 | storage_class = "STANDARD_IA"
32 | }, {
33 | days = 365
34 | storage_class = "GLACIER"
35 | }
36 | ]
37 |
38 | noncurrent_version_expiration = {
39 | days = 730
40 | }
41 | }
42 | ]
43 |
44 | tags = var.tags
45 | }
Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_ssm_parameter.rman_password
File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
Calling File: /databases.tf:13-37
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337
1 | resource "aws_ssm_parameter" "rman_password" {
2 | name = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
3 | type = "SecureString"
4 | value = "REPLACE"
5 | lifecycle {
6 | ignore_changes = [
7 | value,
8 | ]
9 | }
10 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_security_group.db_ec2
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "db_ec2" {
2 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
3 | description = "Controls access to db ec2 instance"
4 | vpc_id = var.account_config.shared_vpc_id
5 | tags = merge(var.tags,
6 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
7 | )
8 | lifecycle {
9 | create_before_destroy = true
10 | }
11 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.bcs
File: /bcs.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "bcs" {
2 | name_prefix = "${var.env_name}-bcs"
3 | vpc_id = var.account_info.vpc_id
4 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.bps
File: /bps.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "bps" {
2 | name_prefix = "${var.env_name}-bps"
3 | vpc_id = var.account_info.vpc_id
4 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.bws
File: /bws.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "bws" {
2 | name_prefix = "${var.env_name}-bws"
3 | vpc_id = var.account_info.vpc_id
4 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.dis
File: /dis.tf:1-4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "dis" {
2 | name_prefix = "${var.env_name}-dis"
3 | vpc_id = var.account_info.vpc_id
4 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.fsx
File: /fsx.tf:22-26
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
22 | resource "aws_security_group" "fsx" {
23 | name = "${var.app_name}-${var.env_name}-fsx"
24 | description = "Security group for FSx"
25 | vpc_id = var.account_info.vpc_id
26 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.legacy
File: /sg_legacy.tf:1-6
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "legacy" {
2 | name = "${var.env_name}-allow-legacy-traffic"
3 | description = "Security group to allow connectivity with resources in legacy environments. To be removed once all components have been migrated"
4 | vpc_id = var.account_info.vpc_id
5 | tags = var.tags
6 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: aws_security_group.mis_ec2_shared
File: /sg_shared.tf:1-6
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "mis_ec2_shared" {
2 | name = "${var.env_name}-mis-ec2-shared"
3 | description = "Security group to allow connectivity within MP"
4 | vpc_id = var.account_info.vpc_id
5 | tags = var.tags
6 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_security_group.db_ec2
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "db_ec2" {
2 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
3 | description = "Controls access to db ec2 instance"
4 | vpc_id = var.account_config.shared_vpc_id
5 | tags = merge(var.tags,
6 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
7 | )
8 | lifecycle {
9 | create_before_destroy = true
10 | }
11 | }
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_security_group.db_ec2
File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis
1 | resource "aws_security_group" "db_ec2" {
2 | name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
3 | description = "Controls access to db ec2 instance"
4 | vpc_id = var.account_config.shared_vpc_id
5 | tags = merge(var.tags,
6 | { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
7 | )
8 | lifecycle {
9 | create_before_destroy = true
10 | }
11 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_secretsmanager_secret.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
4 | name = local.dba_secret_name
5 | description = "DBA Users Credentials"
6 | kms_key_id = var.account_config.kms_keys.general_shared
7 | tags = var.tags
8 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_secretsmanager_secret.database_application_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
35 | name = local.application_secret_name
36 | description = "Application Users Credentials"
37 | kms_key_id = var.account_config.kms_keys.general_shared
38 | tags = var.tags
39 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.ad_admin_password
File: /directory_service.tf:29-39
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
30 | name = "${var.app_name}-${var.env_name}-ad-admin-password"
31 | recovery_window_in_days = 0
32 |
33 | tags = merge(
34 | var.tags,
35 | {
36 | Name = "${var.app_name}-${var.env_name}-ad-admin-password"
37 | }
38 | )
39 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.ad_username
File: /secrets.tf:3-9
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "ad_username" {
4 | #checkov:skip=CKV_AWS_149
5 | name = "${var.env_name}-legacy-ad-username"
6 | recovery_window_in_days = 0
7 |
8 | tags = var.tags
9 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: aws_secretsmanager_secret.ad_password
File: /secrets.tf:12-18
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
12 | resource "aws_secretsmanager_secret" "ad_password" {
13 | #checkov:skip=CKV_AWS_149
14 | name = "${var.env_name}-legacy-ad-password"
15 | recovery_window_in_days = 0
16 |
17 | tags = var.tags
18 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_secretsmanager_secret.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
4 | name = local.dba_secret_name
5 | description = "DBA Users Credentials"
6 | kms_key_id = var.account_config.kms_keys.general_shared
7 | tags = var.tags
8 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_secretsmanager_secret.database_application_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
35 | name = local.application_secret_name
36 | description = "Application Users Credentials"
37 | kms_key_id = var.account_config.kms_keys.general_shared
38 | tags = var.tags
39 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_secretsmanager_secret.database_dba_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
4 | name = local.dba_secret_name
5 | description = "DBA Users Credentials"
6 | kms_key_id = var.account_config.kms_keys.general_shared
7 | tags = var.tags
8 | }
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_secretsmanager_secret.database_application_passwords
File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57
34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
35 | name = local.application_secret_name
36 | description = "Application Users Credentials"
37 | kms_key_id = var.account_config.kms_keys.general_shared
38 | tags = var.tags
39 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
189 |
190 | bucket = "${local.oracle_backup_bucket_prefix}-inventory"
191 | tags = merge(
192 | var.tags,
193 | {
194 | "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
195 | },
196 | {
197 | "Purpose" = "Inventory of Oracle DB Backup Pieces"
198 | },
199 | )
200 | }
checkov_exitcode=1
*****************************
Running Checkov in terraform/modules/disable_alarms_lambda
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:
Passed checks: 43, Failed checks: 8, Skipped checks: 0
Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
FAILED for resource: aws_lambda_function.disable_alarms
File: /main.tf:8-25
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit
8 | resource "aws_lambda_function" "disable_alarms" {
9 | filename = "${path.module}/lambda/disable_alarms.zip"
10 | function_name = var.lambda_function_name
11 | architectures = ["arm64"]
12 | role = aws_iam_role.lambda_exec.arn
13 | runtime = "python3.12"
14 | handler = "disable_alarms.lambda_handler"
15 | source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
16 |
17 | environment {
18 | variables = {
19 | LOG_LEVEL = var.lambda_log_level
20 | SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
21 | }
22 | }
23 |
24 | tags = var.tags
25 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
FAILED for resource: aws_lambda_function.disable_alarms
File: /main.tf:8-25
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272
8 | resource "aws_lambda_function" "disable_alarms" {
9 | filename = "${path.module}/lambda/disable_alarms.zip"
10 | function_name = var.lambda_function_name
11 | architectures = ["arm64"]
12 | role = aws_iam_role.lambda_exec.arn
13 | runtime = "python3.12"
14 | handler = "disable_alarms.lambda_handler"
15 | source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
16 |
17 | environment {
18 | variables = {
19 | LOG_LEVEL = var.lambda_log_level
20 | SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
21 | }
22 | }
23 |
24 | tags = var.tags
25 | }
Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
FAILED for resource: aws_lambda_function.disable_alarms
File: /main.tf:8-25
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5
8 | resource "aws_lambda_function" "disable_alarms" {
9 | filename = "${path.module}/lambda/disable_alarms.zip"
10 | function_name = var.lambda_function_name
11 | architectures = ["arm64"]
12 | role = aws_iam_role.lambda_exec.arn
13 | runtime = "python3.12"
14 | handler = "disable_alarms.lambda_handler"
15 | source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
16 |
17 | environment {
18 | variables = {
19 | LOG_LEVEL = var.lambda_log_level
20 | SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
21 | }
22 | }
23 |
24 | tags = var.tags
25 | }
Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
FAILED for resource: aws_lambda_function.disable_alarms
File: /main.tf:8-25
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1
8 | resource "aws_lambda_function" "disable_alarms" {
9 | filename = "${path.module}/lambda/disable_alarms.zip"
10 | function_name = var.lambda_function_name
11 | architectures = ["arm64"]
12 | role = aws_iam_role.lambda_exec.arn
13 | runtime = "python3.12"
14 | handler = "disable_alarms.lambda_handler"
15 | source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
16 |
17 | environment {
18 | variables = {
19 | LOG_LEVEL = var.lambda_log_level
20 | SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
21 | }
22 | }
23 |
24 | tags = var.tags
25 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
FAILED for resource: aws_lambda_function.disable_alarms
File: /main.tf:8-25
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
8 | resource "aws_lambda_function" "disable_alarms" {
9 | filename = "${path.module}/lambda/disable_alarms.zip"
10 | function_name = var.lambda_function_name
11 | architectures = ["arm64"]
12 | role = aws_iam_role.lambda_exec.arn
13 | runtime = "python3.12"
14 | handler = "disable_alarms.lambda_handler"
15 | source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
16 |
17 | environment {
18 | variables = {
19 | LOG_LEVEL = var.lambda_log_level
20 | SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
21 | }
22 | }
23 |
24 | tags = var.tags
25 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
FAILED for resource: aws_lambda_function.disable_alarms
File: /main.tf:8-25
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4
8 | resource "aws_lambda_function" "disable_alarms" {
9 | filename = "${path.module}/lambda/disable_alarms.zip"
10 | function_name = var.lambda_function_name
11 | architectures = ["arm64"]
12 | role = aws_iam_role.lambda_exec.arn
13 | runtime = "python3.12"
14 | handler = "disable_alarms.lambda_handler"
15 | source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
16 |
17 | environment {
18 | variables = {
19 | LOG_LEVEL = var.lambda_log_level
20 | SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
21 | }
22 | }
23 |
24 | tags = var.tags
25 | }
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
FAILED for resource: aws_cloudwatch_log_group.execution_logs
File: /main.tf:27-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338
27 | resource "aws_cloudwatch_log_group" "execution_logs" {
28 | name = format("/aws/lambda/%s", var.lambda_function_name)
29 | retention_in_days = 7
30 |
31 | tags = var.tags
32 | }
Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
FAILED for resource: aws_cloudwatch_log_group.execution_logs
File: /main.tf:27-32
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
27 | resource "aws_cloudwatch_log_group" "execution_logs" {
28 | name = format("/aws/lambda/%s", var.lambda_function_name)
29 | retention_in_days = 7
30 |
31 | tags = var.tags
32 | }
checkov_exitcode=2
CTFLint Scan Failed
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/disable_alarms_lambda
*****************************
Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
4issue(s) found:
Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)
on terraform/environments/delius-mis/modules/mis_environment/bcs.tf line 7:7:source="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md
Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)
on terraform/environments/delius-mis/modules/mis_environment/bps.tf line 7:7:source="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md
Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)
on terraform/environments/delius-mis/modules/mis_environment/bws.tf line 7:7:source="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md
Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)
on terraform/environments/delius-mis/modules/mis_environment/dis.tf line 7:7:source="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.mdtflint_exitcode=2*****************************
Running tflint in terraform/modules/disable_alarms_lambda
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/disable_alarms_lambda
*****************************
Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-14T12:48:23Z INFO [vulndb] Need to update DB
2024-10-14T12:48:23Z INFO [vulndb] Downloading vulnerability DB...2024-10-14T12:48:23Z INFO [vulndb] Downloading artifact...repo="ghcr.io/aquasecurity/trivy-db:2"2024-10-14T12:48:26Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"2024-10-14T12:48:26Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T12:48:26Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T12:48:26Z INFO [misconfig] Need to update the built-in checks
2024-10-14T12:48:26Z INFO [misconfig] Downloading the built-in checks...156.02 KiB /156.02 KiB [------------------------------------------------------] 100.00%? p/s 100ms2024-10-14T12:48:26Z INFO [secret] Secret scanning is enabled
2024-10-14T12:48:26Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T12:48:26Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection2024-10-14T12:48:27Z INFO [terraformscanner] Scanning root module file_path="."2024-10-14T12:48:27Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"2024-10-14T12:48:27Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_address"value="cty.NilVal"2024-10-14T12:48:27Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.target_ip"value="cty.NilVal"2024-10-14T12:48:27Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_address"value="cty.NilVal"2024-10-14T12:48:27Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.target_ip"value="cty.NilVal"2024-10-14T12:48:28Z ERROR [terraformevaluator] Failed to load module. Maybe try 'terraform init'?err="open /github/workspace/terraform/environments/delius-mis/modules/modules/disable_alarms_lambda: no such file or directory"2024-10-14T12:48:31Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2024-10-14T12:48:31Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2024-10-14T12:48:31Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.dynamic.tag"value="cty.NilVal"2024-10-14T12:48:31Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.dynamic.tag"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].aws_s3_object.user_public_keys"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].aws_s3_object.user_public_keys"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:32Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].aws_s3_object.user_public_keys"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:48:33Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-no-public-egress-sgr"range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-no-public-egress-sgr"range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-no-public-egress-sgr"range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ssm-secret-use-customer-key"range="secrets.tf:3-9"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ssm-secret-use-customer-key"range="secrets.tf:12-18"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:48:37Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:48:37Z INFO Number of language-specific files num=02024-10-14T12:48:37Z INFO Detected config files num=17../../../delius-core/modules/components/oracle_db_shared/s3.tf (terraform)
==========================================================================
Tests:1 (SUCCESSES:0, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
../../../delius-core/modules/components/oracle_db_shared/s3.tf:204-212
via databases.tf:13-37 (module.oracle_db_shared["boe-db"])
────────────────────────────────────────
204 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""oracledb_backups_inventory" {
205 │ bucket=aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id206 │ rule {
207 │ apply_server_side_encryption_by_default {
208 │ kms_master_key_id=var.account_config.kms_keys.general_shared209 │ sse_algorithm="aws:kms"210 │ }
211 │ }
212 └ }
────────────────────────────────────────
pagerduty.tf (terraform)
========================
Tests:1 (SUCCESSES:0, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
pagerduty.tf:1-10
────────────────────────────────────────
1 ┌ resource"aws_sns_topic""delius_mis_alarms" {
2 │ name="${var.app_name}-${var.env_name}-sns-topic"3 │
4 │ tags=merge(
5 │ var.tags,
6 │ {
7 │ Name ="${var.app_name}-${var.env_name}-sns-topic"8 │ }
9 │ )
10 └ }
────────────────────────────────────────
sg_shared.tf (terraform)
========================
Tests:4 (SUCCESSES:0, FAILURES:1, EXCEPTIONS:3)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.
See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
sg_shared.tf:28
via sg_shared.tf:26-32 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
26 resource"aws_vpc_security_group_ingress_rule""fleet_manager" {
27security_group_id=aws_security_group.mis_ec2_shared.id28 [ cidr_ipv4 = "0.0.0.0/0"29ip_protocol = "tcp"30from_port = 338931to_port = 338932 }
────────────────────────────────────────
trivy_exitcode=1*****************************RunningTrivyinterraform/modules/disable_alarms_lambda2024-10-14T12:48:37Z INFO [vuln] Vulnerabilityscanningisenabled2024-10-14T12:48:37Z INFO [misconfig] Misconfigurationscanningisenabled2024-10-14T12:48:37Z INFO [secret] Secretscanningisenabled2024-10-14T12:48:37Z INFO [secret] Ifyourscanningisslow, pleasetry '--scannersvuln' todisablesecretscanning2024-10-14T12:48:37Z INFO [secret] Pleaseseealsohttps://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection2024-10-14T12:48:38Z INFO [terraformscanner] Scanningrootmodulefile_path="."2024-10-14T12:48:38Z WARN [terraformparser] Variablevalueswasnotfoundintheenvironmentorvariablefiles.Evaluatingmaynotworkcorrectly.module="root"variables="lambda_function_name"2024-10-14T12:48:38Z INFONumberoflanguage-specificfilesnum=02024-10-14T12:48:38Z INFODetectedconfigfilesnum=2trivy_exitcode=1
Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/disable_alarms_lambda
Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-14T12:53:32Z INFO [vulndb] Need to update DB
2024-10-14T12:53:32Z INFO [vulndb] Downloading vulnerability DB...
2024-10-14T12:53:32Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T12:53:34Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-14T12:53:34Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T12:53:34Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T12:53:34Z INFO [misconfig] Need to update the built-in checks
2024-10-14T12:53:34Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-14T12:53:35Z INFO [secret] Secret scanning is enabled
2024-10-14T12:53:35Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T12:53:35Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T12:53:36Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-14T12:53:36Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-10-14T12:53:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_address" value="cty.NilVal"
2024-10-14T12:53:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.target_ip" value="cty.NilVal"
2024-10-14T12:53:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_address" value="cty.NilVal"
2024-10-14T12:53:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.target_ip" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:39Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-14T12:53:40Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-10-14T12:53:43Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-10-14T12:53:43Z INFO Number of language-specific files num=0
2024-10-14T12:53:43Z INFO Detected config files num=18
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.
Running Trivy in terraform/modules/disable_alarms_lambda
2024-10-14T12:53:44Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T12:53:44Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T12:53:44Z INFO [secret] Secret scanning is enabled
2024-10-14T12:53:44Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T12:53:44Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-14T12:53:44Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-14T12:53:44Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="lambda_function_name"
2024-10-14T12:53:44Z INFO Number of language-specific files num=0
2024-10-14T12:53:44Z INFO Detected config files num=2
trivy_exitcode=1
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version:0.9.1)
tflint will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/disable_alarms_lambda
*****************************
Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
4issue(s) found:
Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)
on terraform/environments/delius-mis/modules/mis_environment/bcs.tf line 7:7:source="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md
Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)
on terraform/environments/delius-mis/modules/mis_environment/bps.tf line 7:7:source="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md
Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)
on terraform/environments/delius-mis/modules/mis_environment/bws.tf line 7:7:source="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md
Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)
on terraform/environments/delius-mis/modules/mis_environment/dis.tf line 7:7:source="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.mdtflint_exitcode=2*****************************
Running tflint in terraform/modules/disable_alarms_lambda
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/disable_alarms_lambda
*****************************
Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-14T12:53:32Z INFO [vulndb] Need to update DB
2024-10-14T12:53:32Z INFO [vulndb] Downloading vulnerability DB...2024-10-14T12:53:32Z INFO [vulndb] Downloading artifact...repo="ghcr.io/aquasecurity/trivy-db:2"2024-10-14T12:53:34Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"2024-10-14T12:53:34Z INFO [vuln] Vulnerability scanning is enabled
2024-10-14T12:53:34Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-14T12:53:34Z INFO [misconfig] Need to update the built-in checks
2024-10-14T12:53:34Z INFO [misconfig] Downloading the built-in checks...156.02 KiB /156.02 KiB [---------------------------------------------------------] 100.00%? p/s 0s2024-10-14T12:53:35Z INFO [secret] Secret scanning is enabled
2024-10-14T12:53:35Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-14T12:53:35Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection2024-10-14T12:53:36Z INFO [terraformscanner] Scanning root module file_path="."2024-10-14T12:53:36Z WARN [terraformparser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.module="root"variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"2024-10-14T12:53:36Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_address"value="cty.NilVal"2024-10-14T12:53:36Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.target_ip"value="cty.NilVal"2024-10-14T12:53:36Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.ip_address"value="cty.NilVal"2024-10-14T12:53:36Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="dynamic.target_ip"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.aws_s3_object.user_public_keys"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.data.aws_subnet.local_account"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.dynamic.tag"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.dynamic.tag"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bastion_linux.module.s3-bucket.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.s3_bucket_ssm_sessions.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bcs_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bps_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.bws_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.dis_instance[0].dynamic.private_dns_name_options"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].aws_s3_object.user_public_keys"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:39Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].aws_s3_object.user_public_keys"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].aws_s3_object.user_public_keys"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.principals"value="cty.NilVal"2024-10-14T12:53:40Z ERROR [terraformevaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.condition"value="cty.NilVal"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-s3-encryption-customer-key"range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-no-public-egress-sgr"range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-no-public-egress-sgr"range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-no-public-egress-sgr"range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ec2-enforce-http-token-imds"range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ssm-secret-use-customer-key"range="secrets.tf:3-9"2024-10-14T12:53:43Z INFO [terraformexecutor] Ignore finding rule="aws-ssm-secret-use-customer-key"range="secrets.tf:12-18"2024-10-14T12:53:43Z INFO Number of language-specific files num=02024-10-14T12:53:43Z INFO Detected config files num=18../../../delius-core/modules/components/oracle_db_shared/s3.tf (terraform)
==========================================================================
Tests:1 (SUCCESSES:0, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
../../../delius-core/modules/components/oracle_db_shared/s3.tf:204-212
via databases.tf:13-37 (module.oracle_db_shared["boe-db"])
────────────────────────────────────────
204 ┌ resource"aws_s3_bucket_server_side_encryption_configuration""oracledb_backups_inventory" {
205 │ bucket=aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id206 │ rule {
207 │ apply_server_side_encryption_by_default {
208 │ kms_master_key_id=var.account_config.kms_keys.general_shared209 │ sse_algorithm="aws:kms"210 │ }
211 │ }
212 └ }
────────────────────────────────────────
pagerduty.tf (terraform)
========================
Tests:1 (SUCCESSES:0, FAILURES:1, EXCEPTIONS:0)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.
See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
pagerduty.tf:1-10
────────────────────────────────────────
1 ┌ resource"aws_sns_topic""delius_mis_alarms" {
2 │ name="${var.app_name}-${var.env_name}-sns-topic"3 │
4 │ tags=merge(
5 │ var.tags,
6 │ {
7 │ Name ="${var.app_name}-${var.env_name}-sns-topic"8 │ }
9 │ )
10 └ }
────────────────────────────────────────
sg_shared.tf (terraform)
========================
Tests:4 (SUCCESSES:0, FAILURES:1, EXCEPTIONS:3)
Failures:1 (HIGH:1, CRITICAL:0)
HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.
See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
sg_shared.tf:28
via sg_shared.tf:26-32 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
26 resource"aws_vpc_security_group_ingress_rule""fleet_manager" {
27security_group_id=aws_security_group.mis_ec2_shared.id28 [ cidr_ipv4 = "0.0.0.0/0"29ip_protocol = "tcp"30from_port = 338931to_port = 338932 }
────────────────────────────────────────
trivy_exitcode=1*****************************RunningTrivyinterraform/modules/disable_alarms_lambda2024-10-14T12:53:44Z INFO [vuln] Vulnerabilityscanningisenabled2024-10-14T12:53:44Z INFO [misconfig] Misconfigurationscanningisenabled2024-10-14T12:53:44Z INFO [secret] Secretscanningisenabled2024-10-14T12:53:44Z INFO [secret] Ifyourscanningisslow, pleasetry '--scannersvuln' todisablesecretscanning2024-10-14T12:53:44Z INFO [secret] Pleaseseealsohttps://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection2024-10-14T12:53:44Z INFO [terraformscanner] Scanningrootmodulefile_path="."2024-10-14T12:53:44Z WARN [terraformparser] Variablevalueswasnotfoundintheenvironmentorvariablefiles.Evaluatingmaynotworkcorrectly.module="root"variables="lambda_function_name"2024-10-14T12:53:44Z INFONumberoflanguage-specificfilesnum=02024-10-14T12:53:44Z INFODetectedconfigfilesnum=2trivy_exitcode=1
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-actions
bot
added
the
environments-repository
andrewmooreio
temporarily deployed
to
delius-mis-development
sobostion
deleted the
TM-570-automate-disabling-of-cloud-watch-alarms-for-non-prod-environments-mp
branch
No description provided.