Bump bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1 in /terraform/environments/delius-jitbit

[dependabot]

Bumps bastion_linux::modernisation-platform-terraform-bastion-linux from 4.2.1 to 4.3.1.

Release notes

Sourced from bastion_linux::modernisation-platform-terraform-bastion-linux's releases.

v4.3.1

What's Fixed

• The AWS KMS key used to encrypt the S3 bucket that holds ssh keys is now created with name_prefix instead of name to ensure uniqueness.
• The module output - bastion_security_group - now exposes the full content of the aws_security_group.bastion_linux resource. You can still retrieve the id attribute but will need to define it specifically. EG. module.bastion.bastion_security_group.id.

What's Changed

• Add alias for MP S3 KMS key by @​dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#566
• Refactor unit tests by @​dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#569

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.3.0...v4.3.1

v4.3.0

What's New

Launch templates will now resolve the SSM Parameter for amzn2-ami-hvm-x86_64-gp2 and resolve the latest version when creating instances. You can read the AWS documentation on using parameter resolution in templates here.

What's Changed

• A lot of dependabot version bumps
• Feature/trivy by @​ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#413
• updated README.md and unit test name by @​Khatraf in ministryofjustice/modernisation-platform-terraform-bastion-linux#436
• add tfsec exception to fix static-analysis check failure by @​robertsweetman in ministryofjustice/modernisation-platform-terraform-bastion-linux#460
• Adds the redact of sensitive data items from test workflow output. by @​mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#465
• Fixes unredacted data values in workflow log. by @​mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#473
• Update main.tf by @​ep-93 in ministryofjustice/modernisation-platform-terraform-bastion-linux#474
• issue/7689 by @​mikereiddigital in ministryofjustice/modernisation-platform-terraform-bastion-linux#544
• Bump Go versions by @​ASTRobinson in ministryofjustice/modernisation-platform-terraform-bastion-linux#551
• Updated template to use dynamic resolution of SSM parameter store value by @​dms1981 in ministryofjustice/modernisation-platform-terraform-bastion-linux#563

New Contributors

• @​Kudzai-moj made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#415
• @​Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#436
• @​robertsweetman made their first contribution in ministryofjustice/modernisation-platform-terraform-bastion-linux#460

Full Changelog: ministryofjustice/modernisation-platform-terraform-bastion-linux@v4.2.1...v4.3.0

Commits

• ab924e5 Merge pull request #571 from ministryofjustice/dependabot/github_actions/gith...
• 0aeff36 Bump github/codeql-action from 3.26.12 to 3.26.13
• 9a92439 Merge pull request #569 from ministryofjustice/feature/7569-unit-tests
• 4d638cb Merge pull request #570 from ministryofjustice/dependabot/github_actions/mini...
• 0f844c3 Update versions.tf
• f820ed1 Update terraform-static-analysis.yml
• b8abd5c Update format-code.yml
• 714055c Bump ministryofjustice/github-actions from 18.2.2 to 18.2.4
• 89aaf2c added checkov skip as policy is defined as a separate resource and not inline
• 7d94ff1 terraform-docs: automated action
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/delius-jitbit

---

Running Trivy in terraform/environments/delius-jitbit
2024-10-15T00:19:57Z INFO [vulndb] Need to update DB
2024-10-15T00:19:57Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T00:19:57Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:19:59Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:19:59Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T00:19:59Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T00:19:59Z INFO [misconfig] Need to update the built-in checks
2024-10-15T00:19:59Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-15T00:20:00Z INFO [secret] Secret scanning is enabled
2024-10-15T00:20:00Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T00:20:00Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T00:20:01Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T00:20:01Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-10-15T00:20:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_egress_rule.load_balancer_egress_rule" value="cty.NilVal"
2024-10-15T00:20:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule" value="cty.NilVal"
2024-10-15T00:20:02Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open cluster: no such file or directory"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.jitbit_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_app_deployment.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.shield.aws_wafv2_web_acl_association.this" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.shield.dynamic.action" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.shield.dynamic.action" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.shield.dynamic.action" value="cty.NilVal"
2024-10-15T00:20:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.shield.dynamic.action" value="cty.NilVal"
2024-10-15T00:20:05Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="lb.tf:14"
2024-10-15T00:20:05Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:150-156"
2024-10-15T00:20:05Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T00:20:05Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-10-15T00:20:05Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-10-15T00:20:05Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:5-15"
2024-10-15T00:20:05Z INFO Number of language-specific files num=0
2024-10-15T00:20:05Z INFO Detected config files num=14

monitoring.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
monitoring.tf:6-8
────────────────────────────────────────
6 ┌ resource "aws_sns_topic" "jitbit_alerting" {
7 │ name = "jitbit_alerting"
8 └ }
────────────────────────────────────────

ses_bounce.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ses_bounce.tf:1-5
────────────────────────────────────────
1 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
2 │ name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
3 │
4 │ tags = local.tags
5 └ }
────────────────────────────────────────

ses_logging.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.

See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
ses_logging.tf:4-8
────────────────────────────────────────
4 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic" {
5 │ name = format("%s-ses-destination-topic", local.application_name)
6 │
7 │ tags = local.tags
8 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Checkov in terraform/environments/delius-jitbit
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-15 00:20:07,639 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2024-10-15 00:20:07,639 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-15 00:20:07,639 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1:None (for external modules, the --download-external-modules flag is required)
2024-10-15 00:20:07,639 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-15 00:20:07,639 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 322, Failed checks: 69, Skipped checks: 20

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # custom scaling schedule
		33 |   autoscaling_cron = {
		34 |     "down" : "0 21 * * *",
		35 |     "up" : "0 05 * * *"
		36 |   }
		37 | 
		38 |   # Tags
		39 |   tags_common = local.tags
		40 |   tags_prefix = terraform.workspace
		41 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group_fargate
	File: /lb.tf:97-127

		97  | resource "aws_lb_target_group" "target_group_fargate" {
		98  |   # checkov:skip=CKV_AWS_261
		99  | 
		100 |   name                 = local.application_name
		101 |   port                 = local.app_port
		102 |   protocol             = "HTTP"
		103 |   vpc_id               = data.aws_vpc.shared.id
		104 |   target_type          = "ip"
		105 |   deregistration_delay = 30
		106 | 
		107 |   stickiness {
		108 |     type = "lb_cookie"
		109 |   }
		110 | 
		111 |   health_check {
		112 |     path                = "/User/Login?ReturnUrl=%2f"
		113 |     healthy_threshold   = "5"
		114 |     interval            = "120"
		115 |     protocol            = "HTTP"
		116 |     unhealthy_threshold = "2"
		117 |     matcher             = "200-499"
		118 |     timeout             = "5"
		119 |   }
		120 | 
		121 |   tags = merge(
		122 |     local.tags,
		123 |     {
		124 |       Name = local.application_name
		125 |     }
		126 |   )
		127 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_sandbox
	File: /sandbox_ecs.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ecs_sandbox" {
		2  |   count = local.is-development ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		5  | 
		6  |   environment = local.environment
		7  |   name        = "${local.application_name}-sandbox"
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment_sandbox
	File: /sandbox_ecs.tf:12-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "s3_bucket_app_deployment_sandbox" {
		13 |   count = local.is-development ? 1 : 0
		14 | 
		15 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		16 | 
		17 |   providers = {
		18 |     aws.bucket-replication = aws
		19 |   }
		20 |   bucket_name        = "${local.application_name}-sandbox-deployment"
		21 |   versioning_enabled = true
		22 | 
		23 |   ownership_controls = "BucketOwnerEnforced"
		24 | 
		25 |   lifecycle_rule = [
		26 |     {
		27 |       id      = "main"
		28 |       enabled = "Enabled"
		29 |       prefix  = ""
		30 | 
		31 |       tags = {
		32 |         rule      = "log"
		33 |         autoclean = "true"
		34 |       }
		35 | 
		36 |       noncurrent_version_transition = [
		37 |         {
		38 |           days          = 90
		39 |           storage_class = "STANDARD_IA"
		40 |           }, {
		41 |           days          = 365
		42 |           storage_class = "GLACIER"
		43 |         }
		44 |       ]
		45 | 
		46 |       noncurrent_version_expiration = {
		47 |         days = 730
		48 |       }
		49 |     }
		50 |   ]
		51 | 
		52 |   tags = local.tags
		53 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group_fargate_sandbox
	File: /sandbox_lb.tf:18-50

		18 | resource "aws_lb_target_group" "target_group_fargate_sandbox" {
		19 |   # checkov:skip=CKV_AWS_261
		20 | 
		21 |   count = local.is-development ? 1 : 0
		22 | 
		23 |   name                 = "${local.application_name}-sandbox"
		24 |   port                 = local.app_port
		25 |   protocol             = "HTTP"
		26 |   vpc_id               = data.aws_vpc.shared.id
		27 |   target_type          = "ip"
		28 |   deregistration_delay = 30
		29 | 
		30 |   stickiness {
		31 |     type = "lb_cookie"
		32 |   }
		33 | 
		34 |   health_check {
		35 |     path                = "/User/Login?ReturnUrl=%2f"
		36 |     healthy_threshold   = "5"
		37 |     interval            = "30"
		38 |     protocol            = "HTTP"
		39 |     unhealthy_threshold = "2"
		40 |     matcher             = "200-499"
		41 |     timeout             = "5"
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "${local.application_name}-sandbox"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket_sandbox
	File: /sandbox_s3.tf:1-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.jitbit_ses_smtp_user
	File: /ses.tf:101-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		101 | resource "aws_iam_user" "jitbit_ses_smtp_user" {
		102 |   name = "${local.environment}-jitbit-smtp-user"
		103 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jitbit_ses_smtp_user
	File: /ses.tf:128-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "jitbit_ses_smtp_user" {
		129 |   name = "/${local.environment}/jitbit/ses_smtp"
		130 |   type = "SecureString"
		131 |   value = jsonencode({
		132 |     user              = aws_iam_user.jitbit_ses_smtp_user.name,
		133 |     key               = aws_iam_access_key.jitbit_ses_smtp_user.id,
		134 |     secret            = aws_iam_access_key.jitbit_ses_smtp_user.secret
		135 |     ses_smtp_user     = aws_iam_access_key.jitbit_ses_smtp_user.id
		136 |     ses_smtp_password = aws_iam_access_key.jitbit_ses_smtp_user.ses_smtp_password_v4
		137 |   })
		138 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic_bounce_email_notification
	File: /ses_bounce.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
		2 |   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
		3 | 
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled"
	FAILED for resource: aws_dynamodb_table.bounce_email_notification
	File: /ses_bounce.tf:126-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-6

		126 | resource "aws_dynamodb_table" "bounce_email_notification" {
		127 |   name         = "bounce_email_notification"
		128 |   billing_mode = "PAY_PER_REQUEST"
		129 |   hash_key     = "email_ticket_id"
		130 | 
		131 |   server_side_encryption {
		132 |     enabled     = true
		133 |     kms_key_arn = data.aws_kms_key.general_shared.arn
		134 |   }
		135 | 
		136 |   ttl {
		137 |     attribute_name = "expireAt"
		138 |     enabled        = true
		139 |   }
		140 | 
		141 |   attribute {
		142 |     name = "email_ticket_id"
		143 |     type = "S"
		144 |   }
		145 | 
		146 |   tags = local.tags
		147 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic
	File: /ses_logging.tf:4-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		4 | resource "aws_sns_topic" "jitbit_ses_destination_topic" {
		5 |   name = format("%s-ses-destination-topic", local.application_name)
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.sns_logs
	File: /ses_logging.tf:59-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "sns_logs" {
		60 |   name              = format("%s-ses-logs", local.application_name)
		61 |   retention_in_days = local.application_data.accounts[local.environment].ses_log_retention_days
		62 | 
		63 |   tags = local.tags
		64 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.shield.aws_cloudwatch_log_group.waf[0]
	File: /../../modules/shield_advanced/shield.tf:94-98
	Calling File: /waf.tf:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "waf" {
		95 |   count             = var.enable_logging ? 1 : 0
		96 |   name              = "aws-waf-logs-${data.external.shield_waf.result["name"]}"
		97 |   retention_in_days = var.log_retention_in_days
		98 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.shield.aws_cloudwatch_log_group.waf[0]
	File: /../../modules/shield_advanced/shield.tf:94-98
	Calling File: /waf.tf:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "waf" {
		95 |   count             = var.enable_logging ? 1 : 0
		96 |   name              = "aws-waf-logs-${data.external.shield_waf.result["name"]}"
		97 |   retention_in_days = var.log_retention_in_days
		98 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit
	File: /ecs.tf:53-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		53 | resource "aws_security_group" "jitbit" {
		54 |   vpc_id      = data.aws_vpc.shared.id
		55 |   name        = format("hmpps-%s-%s-service", local.environment, local.application_name)
		56 |   description = "Security group for the ${local.application_name} service"
		57 |   tags        = local.tags
		58 | 
		59 |   lifecycle {
		60 |     create_before_destroy = true
		61 |   }
		62 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit_sandbox
	File: /sandbox_ecs.tf:55-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		55 | resource "aws_security_group" "jitbit_sandbox" {
		56 |   count = local.is-development ? 1 : 0
		57 | 
		58 |   vpc_id      = data.aws_vpc.shared.id
		59 |   name        = format("hmpps-%s-%s-service", "sandbox", local.application_name)
		60 |   description = "Security group for the ${local.application_name} service"
		61 |   tags        = local.tags
		62 | 
		63 |   lifecycle {
		64 |     create_before_destroy = true
		65 |   }
		66 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string_sandbox
	File: /sandbox_secrets.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2  | resource "aws_secretsmanager_secret" "db_app_connection_string_sandbox" {
		3  |   count = local.is-development ? 1 : 0
		4  |   #checkov:skip=CKV_AWS_149
		5  |   name                    = "${var.networking[0].application}-app-connection-string-sandbox"
		6  |   recovery_window_in_days = 0
		7  |   tags = merge(
		8  |     local.tags,
		9  |     {
		10 |       Name = "${var.networking[0].application}-app-connection-string-sandbox"
		11 |     },
		12 |   )
		13 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/ses_logging.tf line 30:
  30: data "archive_file" "lambda_function_payload" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "external" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/waf.tf line 57:
  57: data "external" "shield_waf" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/delius-jitbit

*****************************

Running Trivy in terraform/environments/delius-jitbit
2024-10-15T00:19:57Z	INFO	[vulndb] Need to update DB
2024-10-15T00:19:57Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T00:19:57Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:19:59Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T00:19:59Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T00:19:59Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T00:19:59Z	INFO	[misconfig] Need to update the built-in checks
2024-10-15T00:19:59Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-15T00:20:00Z	INFO	[secret] Secret scanning is enabled
2024-10-15T00:20:00Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T00:20:00Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T00:20:01Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T00:20:01Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-10-15T00:20:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_egress_rule.load_balancer_egress_rule" value="cty.NilVal"
2024-10-15T00:20:01Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule" value="cty.NilVal"
2024-10-15T00:20:02Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open cluster: no such file or directory"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.jitbit_bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.principals" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_app_deployment.dynamic.condition" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.shield.aws_wafv2_web_acl_association.this" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.shield.dynamic.action" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.shield.dynamic.action" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.shield.dynamic.action" value="cty.NilVal"
2024-10-15T00:20:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.shield.dynamic.action" value="cty.NilVal"
2024-10-15T00:20:05Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="lb.tf:14"
2024-10-15T00:20:05Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="iam.tf:150-156"
2024-10-15T00:20:05Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.3.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-10-15T00:20:05Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-10-15T00:20:05Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-10-15T00:20:05Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:5-15"
2024-10-15T00:20:05Z	INFO	Number of language-specific files	num=0
2024-10-15T00:20:05Z	INFO	Detected config files	num=14

monitoring.tf (terraform)
=========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 monitoring.tf:6-8
────────────────────────────────────────
   6 ┌ resource "aws_sns_topic" "jitbit_alerting" {
   7 │   name = "jitbit_alerting"
   8 └ }
────────────────────────────────────────



ses_bounce.tf (terraform)
=========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ses_bounce.tf:1-5
────────────────────────────────────────
   1 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
   2 │   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
   3 │ 
   4 │   tags = local.tags
   5 └ }
────────────────────────────────────────



ses_logging.tf (terraform)
==========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Topic does not have encryption enabled.
════════════════════════════════════════
Topics should be encrypted to protect their contents.


See https://avd.aquasec.com/misconfig/avd-aws-0095
────────────────────────────────────────
 ses_logging.tf:4-8
────────────────────────────────────────
   4 ┌ resource "aws_sns_topic" "jitbit_ses_destination_topic" {
   5 │   name = format("%s-ses-destination-topic", local.application_name)
   6 │ 
   7 │   tags = local.tags
   8 └ }
────────────────────────────────────────


trivy_exitcode=1

[dependabot]

Superseded by #8276.