Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tm 570 automate disabling of cloud watch alarms for non prod environments mp #8262

Merged
merged 8 commits into from
Oct 15, 2024
Merged

Tm 570 automate disabling of cloud watch alarms for non prod environments mp #8262

merged 8 commits into from
Oct 15, 2024

Conversation

andrewmooreio
Copy link
Contributor

No description provided.

@andrewmooreio andrewmooreio requested review from a team as code owners October 15, 2024 12:39
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Oct 15, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-15T12:40:57Z INFO [vulndb] Need to update DB
2024-10-15T12:40:57Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T12:40:57Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:40:57Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:12507e5d35ed9dcaa337be9dc419ec149b406f78ab4b6e3dc3ce14154151f482: TOOMANYREQUESTS: retry-after: 766.724µs, allowed: 44000/minute"
2024-10-15T12:40:57Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

Running Trivy in terraform/modules/schedule_alarms_lambda
2024-10-15T12:40:57Z INFO [vulndb] Need to update DB
2024-10-15T12:40:57Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T12:40:57Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:40:58Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:12507e5d35ed9dcaa337be9dc419ec149b406f78ab4b6e3dc3ce14154151f482: TOOMANYREQUESTS: retry-after: 451.534µs, allowed: 44000/minute"
2024-10-15T12:40:58Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=2

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running Checkov in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-15 12:41:01,003 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:41:01,003 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:41:01,004 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:41:01,004 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 916, Failed checks: 128, Skipped checks: 2

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_boe.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:94-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_boe.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:94-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_dsd.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:39-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_dsd.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:39-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_mis.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:148-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_mis.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:148-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bcs_instance
	File: /bcs.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bcs_instance
	File: /bcs.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bcs" {
		2 |   name_prefix = "${var.env_name}-bcs"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bps_instance
	File: /bps.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bps_instance
	File: /bps.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bps" {
		2 |   name_prefix = "${var.env_name}-bps"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bws_instance
	File: /bws.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bws_instance
	File: /bws.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bws" {
		2 |   name_prefix = "${var.env_name}-bws"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: dis_instance
	File: /dis.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: dis_instance
	File: /dis.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "dis" {
		2 |   name_prefix = "${var.env_name}-dis"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "pagerduty_core_alerts" {
		13 | 
		14 |   depends_on = [
		15 |     aws_sns_topic.delius_mis_alarms
		16 |   ]
		17 | 
		18 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		19 |   sns_topics                = [aws_sns_topic.delius_mis_alarms.name]
		20 |   pagerduty_integration_key = var.pagerduty_integration_key
		21 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_mis_alarms
	File: /pagerduty.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1  | resource "aws_sns_topic" "delius_mis_alarms" {
		2  |   name = "${var.app_name}-${var.env_name}-sns-topic"
		3  | 
		4  |   tags = merge(
		5  |     var.tags,
		6  |     {
		7  |       Name = "${var.app_name}-${var.env_name}-sns-topic"
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.icmp
	File: /sg_legacy.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_vpc_security_group_ingress_rule" "icmp" {
		9  |   security_group_id = aws_security_group.legacy.id
		10 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		11 |   ip_protocol       = "icmp"
		12 |   from_port         = -1
		13 |   to_port           = -1
		14 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.icmp
	File: /sg_legacy.tf:16-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		16 | resource "aws_vpc_security_group_egress_rule" "icmp" {
		17 |   security_group_id = aws_security_group.legacy.id
		18 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		19 |   ip_protocol       = "icmp"
		20 |   from_port         = -1
		21 |   to_port           = -1
		22 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s
	File: /sg_shared.tf:8-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		9  |   for_each = toset(["80", "443"])
		10 | 
		11 |   security_group_id = aws_security_group.mis_ec2_shared.id
		12 |   cidr_ipv4         = "0.0.0.0/0"
		13 |   ip_protocol       = "tcp"
		14 |   from_port         = each.key
		15 |   to_port           = each.key
		16 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.fleet_manager
	File: /sg_shared.tf:18-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		18 | resource "aws_vpc_security_group_egress_rule" "fleet_manager" {
		19 |   security_group_id = aws_security_group.mis_ec2_shared.id
		20 |   cidr_ipv4         = "0.0.0.0/0"
		21 |   ip_protocol       = "tcp"
		22 |   from_port         = 3389
		23 |   to_port           = 3389
		24 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:26-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		26 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		27 |   security_group_id = aws_security_group.mis_ec2_shared.id
		28 |   cidr_ipv4         = "0.0.0.0/0"
		29 |   ip_protocol       = "tcp"
		30 |   from_port         = 3389
		31 |   to_port           = 3389
		32 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:26-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		26 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		27 |   security_group_id = aws_security_group.mis_ec2_shared.id
		28 |   cidr_ipv4         = "0.0.0.0/0"
		29 |   ip_protocol       = "tcp"
		30 |   from_port         = 3389
		31 |   to_port           = 3389
		32 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:4-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		4  | module "s3_bucket_ssm_sessions" {
		5  | 
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		9  |   versioning_enabled = false
		10 | 
		11 |   providers = {
		12 |     aws.bucket-replication = aws
		13 |   }
		14 | 
		15 |   tags = var.tags
		16 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/disable_alarms_lambda/main.tf:27-32
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		27 | resource "aws_cloudwatch_log_group" "execution_logs" {
		28 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		29 |   retention_in_days = 7
		30 | 
		31 |   tags = var.tags
		32 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/disable_alarms_lambda/main.tf:27-32
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		27 | resource "aws_cloudwatch_log_group" "execution_logs" {
		28 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		29 |   retention_in_days = 7
		30 | 
		31 |   tags = var.tags
		32 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/schedule_alarms_lambda/main.tf:28-33
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/schedule_alarms_lambda/main.tf:28-33
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bcs" {
		2 |   name_prefix = "${var.env_name}-bcs"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bps" {
		2 |   name_prefix = "${var.env_name}-bps"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bws" {
		2 |   name_prefix = "${var.env_name}-bws"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "dis" {
		2 |   name_prefix = "${var.env_name}-dis"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.fsx
	File: /fsx.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		22 | resource "aws_security_group" "fsx" {
		23 |   name        = "${var.app_name}-${var.env_name}-fsx"
		24 |   description = "Security group for FSx"
		25 |   vpc_id      = var.account_info.vpc_id
		26 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.legacy
	File: /sg_legacy.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "legacy" {
		2 |   name        = "${var.env_name}-allow-legacy-traffic"
		3 |   description = "Security group to allow connectivity with resources in legacy environments. To be removed once all components have been migrated"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.mis_ec2_shared
	File: /sg_shared.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "mis_ec2_shared" {
		2 |   name        = "${var.env_name}-mis-ec2-shared"
		3 |   description = "Security group to allow connectivity within MP"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_username
	File: /secrets.tf:3-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "ad_username" {
		4 |   #checkov:skip=CKV_AWS_149
		5 |   name                    = "${var.env_name}-legacy-ad-username"
		6 |   recovery_window_in_days = 0
		7 | 
		8 |   tags = var.tags
		9 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:12-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "ad_password" {
		13 |   #checkov:skip=CKV_AWS_149
		14 |   name                    = "${var.env_name}-legacy-ad-password"
		15 |   recovery_window_in_days = 0
		16 | 
		17 |   tags = var.tags
		18 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/schedule_alarms_lambda
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 51, Failed checks: 8, Skipped checks: 0

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /main.tf:28-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /main.tf:28-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bcs.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bps.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bws.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/dis.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

tflint_exitcode=2

*****************************

Running tflint in terraform/modules/schedule_alarms_lambda
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-15T12:40:57Z	INFO	[vulndb] Need to update DB
2024-10-15T12:40:57Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T12:40:57Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:40:57Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:12507e5d35ed9dcaa337be9dc419ec149b406f78ab4b6e3dc3ce14154151f482: TOOMANYREQUESTS: retry-after: 766.724µs, allowed: 44000/minute"
2024-10-15T12:40:57Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

*****************************

Running Trivy in terraform/modules/schedule_alarms_lambda
2024-10-15T12:40:57Z	INFO	[vulndb] Need to update DB
2024-10-15T12:40:57Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T12:40:57Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:40:58Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:12507e5d35ed9dcaa337be9dc419ec149b406f78ab4b6e3dc3ce14154151f482: TOOMANYREQUESTS: retry-after: 451.534µs, allowed: 44000/minute"
2024-10-15T12:40:58Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=2

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-15T12:44:48Z INFO [vulndb] Need to update DB
2024-10-15T12:44:48Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T12:44:48Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:44:50Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:44:50Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T12:44:50Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T12:44:50Z INFO [misconfig] Need to update the built-in checks
2024-10-15T12:44:50Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T12:44:50Z INFO [secret] Secret scanning is enabled
2024-10-15T12:44:50Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T12:44:50Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T12:44:51Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T12:44:51Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-10-15T12:44:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_address" value="cty.NilVal"
2024-10-15T12:44:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.target_ip" value="cty.NilVal"
2024-10-15T12:44:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_address" value="cty.NilVal"
2024-10-15T12:44:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.target_ip" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-10-15T12:44:57Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-10-15T12:44:57Z INFO Number of language-specific files num=0
2024-10-15T12:44:57Z INFO Detected config files num=19

../../../delius-core/modules/components/oracle_db_shared/s3.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
../../../delius-core/modules/components/oracle_db_shared/s3.tf:204-212
via databases.tf:13-37 (module.oracle_db_shared["boe-db"])
────────────────────────────────────────
204 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
205 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
206 │ rule {
207 │ apply_server_side_encryption_by_default {
208 │ kms_master_key_id = var.account_config.kms_keys.general_shared
209 │ sse_algorithm = "aws:kms"
210 │ }
211 │ }
212 └ }
────────────────────────────────────────

sg_shared.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
sg_shared.tf:28
via sg_shared.tf:26-32 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
26 resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
27 security_group_id = aws_security_group.mis_ec2_shared.id
28 [ cidr_ipv4 = "0.0.0.0/0"
29 ip_protocol = "tcp"
30 from_port = 3389
31 to_port = 3389
32 }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/modules/schedule_alarms_lambda
2024-10-15T12:44:57Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T12:44:57Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T12:44:57Z INFO [secret] Secret scanning is enabled
2024-10-15T12:44:57Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T12:44:57Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T12:44:58Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T12:44:58Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="lambda_function_name"
2024-10-15T12:44:58Z INFO Number of language-specific files num=0
2024-10-15T12:44:58Z INFO Detected config files num=2
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running Checkov in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-15 12:45:00,838 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:45:00,838 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:45:00,838 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:45:00,838 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 916, Failed checks: 128, Skipped checks: 2

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_boe.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:94-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_boe.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:94-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_dsd.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:39-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_dsd.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:39-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_mis.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:148-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_mis.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:148-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bcs_instance
	File: /bcs.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bcs_instance
	File: /bcs.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bcs" {
		2 |   name_prefix = "${var.env_name}-bcs"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bps_instance
	File: /bps.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bps_instance
	File: /bps.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bps" {
		2 |   name_prefix = "${var.env_name}-bps"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bws_instance
	File: /bws.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bws_instance
	File: /bws.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bws" {
		2 |   name_prefix = "${var.env_name}-bws"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: dis_instance
	File: /dis.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: dis_instance
	File: /dis.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "dis" {
		2 |   name_prefix = "${var.env_name}-dis"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "pagerduty_core_alerts" {
		13 | 
		14 |   depends_on = [
		15 |     aws_sns_topic.delius_mis_alarms
		16 |   ]
		17 | 
		18 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		19 |   sns_topics                = [aws_sns_topic.delius_mis_alarms.name]
		20 |   pagerduty_integration_key = var.pagerduty_integration_key
		21 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_mis_alarms
	File: /pagerduty.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1  | resource "aws_sns_topic" "delius_mis_alarms" {
		2  |   name = "${var.app_name}-${var.env_name}-sns-topic"
		3  | 
		4  |   tags = merge(
		5  |     var.tags,
		6  |     {
		7  |       Name = "${var.app_name}-${var.env_name}-sns-topic"
		8  |     }
		9  |   )
		10 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.icmp
	File: /sg_legacy.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_vpc_security_group_ingress_rule" "icmp" {
		9  |   security_group_id = aws_security_group.legacy.id
		10 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		11 |   ip_protocol       = "icmp"
		12 |   from_port         = -1
		13 |   to_port           = -1
		14 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.icmp
	File: /sg_legacy.tf:16-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		16 | resource "aws_vpc_security_group_egress_rule" "icmp" {
		17 |   security_group_id = aws_security_group.legacy.id
		18 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		19 |   ip_protocol       = "icmp"
		20 |   from_port         = -1
		21 |   to_port           = -1
		22 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s
	File: /sg_shared.tf:8-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		9  |   for_each = toset(["80", "443"])
		10 | 
		11 |   security_group_id = aws_security_group.mis_ec2_shared.id
		12 |   cidr_ipv4         = "0.0.0.0/0"
		13 |   ip_protocol       = "tcp"
		14 |   from_port         = each.key
		15 |   to_port           = each.key
		16 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.fleet_manager
	File: /sg_shared.tf:18-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		18 | resource "aws_vpc_security_group_egress_rule" "fleet_manager" {
		19 |   security_group_id = aws_security_group.mis_ec2_shared.id
		20 |   cidr_ipv4         = "0.0.0.0/0"
		21 |   ip_protocol       = "tcp"
		22 |   from_port         = 3389
		23 |   to_port           = 3389
		24 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:26-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		26 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		27 |   security_group_id = aws_security_group.mis_ec2_shared.id
		28 |   cidr_ipv4         = "0.0.0.0/0"
		29 |   ip_protocol       = "tcp"
		30 |   from_port         = 3389
		31 |   to_port           = 3389
		32 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:26-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		26 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		27 |   security_group_id = aws_security_group.mis_ec2_shared.id
		28 |   cidr_ipv4         = "0.0.0.0/0"
		29 |   ip_protocol       = "tcp"
		30 |   from_port         = 3389
		31 |   to_port           = 3389
		32 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:4-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		4  | module "s3_bucket_ssm_sessions" {
		5  | 
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		9  |   versioning_enabled = false
		10 | 
		11 |   providers = {
		12 |     aws.bucket-replication = aws
		13 |   }
		14 | 
		15 |   tags = var.tags
		16 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/disable_alarms_lambda/main.tf:27-32
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		27 | resource "aws_cloudwatch_log_group" "execution_logs" {
		28 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		29 |   retention_in_days = 7
		30 | 
		31 |   tags = var.tags
		32 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/disable_alarms_lambda/main.tf:27-32
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		27 | resource "aws_cloudwatch_log_group" "execution_logs" {
		28 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		29 |   retention_in_days = 7
		30 | 
		31 |   tags = var.tags
		32 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/schedule_alarms_lambda/main.tf:28-33
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/schedule_alarms_lambda/main.tf:28-33
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bcs" {
		2 |   name_prefix = "${var.env_name}-bcs"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bps" {
		2 |   name_prefix = "${var.env_name}-bps"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bws" {
		2 |   name_prefix = "${var.env_name}-bws"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "dis" {
		2 |   name_prefix = "${var.env_name}-dis"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.fsx
	File: /fsx.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		22 | resource "aws_security_group" "fsx" {
		23 |   name        = "${var.app_name}-${var.env_name}-fsx"
		24 |   description = "Security group for FSx"
		25 |   vpc_id      = var.account_info.vpc_id
		26 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.legacy
	File: /sg_legacy.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "legacy" {
		2 |   name        = "${var.env_name}-allow-legacy-traffic"
		3 |   description = "Security group to allow connectivity with resources in legacy environments. To be removed once all components have been migrated"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.mis_ec2_shared
	File: /sg_shared.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "mis_ec2_shared" {
		2 |   name        = "${var.env_name}-mis-ec2-shared"
		3 |   description = "Security group to allow connectivity within MP"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_username
	File: /secrets.tf:3-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "ad_username" {
		4 |   #checkov:skip=CKV_AWS_149
		5 |   name                    = "${var.env_name}-legacy-ad-username"
		6 |   recovery_window_in_days = 0
		7 | 
		8 |   tags = var.tags
		9 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:12-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "ad_password" {
		13 |   #checkov:skip=CKV_AWS_149
		14 |   name                    = "${var.env_name}-legacy-ad-password"
		15 |   recovery_window_in_days = 0
		16 | 
		17 |   tags = var.tags
		18 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/schedule_alarms_lambda
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 51, Failed checks: 8, Skipped checks: 0

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /main.tf:28-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /main.tf:28-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bcs.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bps.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bws.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/dis.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

tflint_exitcode=2

*****************************

Running tflint in terraform/modules/schedule_alarms_lambda
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-15T12:44:48Z	INFO	[vulndb] Need to update DB
2024-10-15T12:44:48Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T12:44:48Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:44:50Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:44:50Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T12:44:50Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T12:44:50Z	INFO	[misconfig] Need to update the built-in checks
2024-10-15T12:44:50Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T12:44:50Z	INFO	[secret] Secret scanning is enabled
2024-10-15T12:44:50Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T12:44:50Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T12:44:51Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T12:44:51Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-10-15T12:44:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.ip_address" value="cty.NilVal"
2024-10-15T12:44:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.target_ip" value="cty.NilVal"
2024-10-15T12:44:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.ip_address" value="cty.NilVal"
2024-10-15T12:44:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.target_ip" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:44:52Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-10-15T12:44:57Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-10-15T12:44:57Z	INFO	Number of language-specific files	num=0
2024-10-15T12:44:57Z	INFO	Detected config files	num=19

../../../delius-core/modules/components/oracle_db_shared/s3.tf (terraform)
==========================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 ../../../delius-core/modules/components/oracle_db_shared/s3.tf:204-212
   via databases.tf:13-37 (module.oracle_db_shared["boe-db"])
────────────────────────────────────────
 204resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
 205bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
 206rule {
 207apply_server_side_encryption_by_default {
 208kms_master_key_id = var.account_config.kms_keys.general_shared
 209sse_algorithm     = "aws:kms"
 210 │     }
 211 │   }
 212 └ }
────────────────────────────────────────



sg_shared.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 sg_shared.tf:28
   via sg_shared.tf:26-32 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
  26   resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
  27     security_group_id = aws_security_group.mis_ec2_shared.id
  28 [   cidr_ipv4         = "0.0.0.0/0"
  29     ip_protocol       = "tcp"
  30     from_port         = 3389
  31     to_port           = 3389
  32   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/modules/schedule_alarms_lambda
2024-10-15T12:44:57Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T12:44:57Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T12:44:57Z	INFO	[secret] Secret scanning is enabled
2024-10-15T12:44:57Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T12:44:57Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T12:44:58Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T12:44:58Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="lambda_function_name"
2024-10-15T12:44:58Z	INFO	Number of language-specific files	num=0
2024-10-15T12:44:58Z	INFO	Detected config files	num=2
trivy_exitcode=1

georgepstaylor
georgepstaylor previously approved these changes Oct 15, 2024
View reviewed changes
@andrewmooreio andrewmooreio had a problem deploying to delius-mis-development October 15, 2024 12:46 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-15T12:50:24Z INFO [vulndb] Need to update DB
2024-10-15T12:50:24Z INFO [vulndb] Downloading vulnerability DB...
2024-10-15T12:50:24Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:50:26Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:50:26Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T12:50:26Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T12:50:26Z INFO [misconfig] Need to update the built-in checks
2024-10-15T12:50:26Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T12:50:26Z INFO [secret] Secret scanning is enabled
2024-10-15T12:50:26Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T12:50:26Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T12:50:27Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T12:50:27Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-10-15T12:50:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_address" value="cty.NilVal"
2024-10-15T12:50:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.target_ip" value="cty.NilVal"
2024-10-15T12:50:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.ip_address" value="cty.NilVal"
2024-10-15T12:50:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.target_ip" value="cty.NilVal"
2024-10-15T12:50:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:50:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T12:50:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T12:50:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["boe-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["dsd-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.oracle_db_shared["mis-db"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-10-15T12:50:33Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-10-15T12:50:33Z INFO Number of language-specific files num=0
2024-10-15T12:50:33Z INFO Detected config files num=19

../../../delius-core/modules/components/oracle_db_shared/s3.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
../../../delius-core/modules/components/oracle_db_shared/s3.tf:204-212
via databases.tf:13-37 (module.oracle_db_shared["boe-db"])
────────────────────────────────────────
204 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
205 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
206 │ rule {
207 │ apply_server_side_encryption_by_default {
208 │ kms_master_key_id = var.account_config.kms_keys.general_shared
209 │ sse_algorithm = "aws:kms"
210 │ }
211 │ }
212 └ }
────────────────────────────────────────

sg_shared.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
sg_shared.tf:28
via sg_shared.tf:26-32 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
26 resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
27 security_group_id = aws_security_group.mis_ec2_shared.id
28 [ cidr_ipv4 = "0.0.0.0/0"
29 ip_protocol = "tcp"
30 from_port = 3389
31 to_port = 3389
32 }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/modules/schedule_alarms_lambda
2024-10-15T12:50:33Z INFO [vuln] Vulnerability scanning is enabled
2024-10-15T12:50:33Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-15T12:50:33Z INFO [secret] Secret scanning is enabled
2024-10-15T12:50:33Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T12:50:33Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T12:50:34Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-15T12:50:34Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="lambda_function_name"
2024-10-15T12:50:34Z INFO Number of language-specific files num=0
2024-10-15T12:50:34Z INFO Detected config files num=2
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running Checkov in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-15 12:50:37,109 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:50:37,109 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:50:37,109 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12:None (for external modules, the --download-external-modules flag is required)
2024-10-15 12:50:37,110 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 916, Failed checks: 128, Skipped checks: 2

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_boe.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:94-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_boe.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:94-145
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_dsd.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:39-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_dsd.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:39-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_mis.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:148-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.oracle_db_mis.instance
	File: /../../../delius-core/modules/components/oracle_db_instance/instance.tf:23-66
	Calling File: /databases.tf:148-199
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		23 | module "instance" {
		24 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"
		25 | 
		26 |   providers = {
		27 |     aws.core-vpc = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		28 |   }
		29 | 
		30 |   name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" # e.g. dev-boe-db-1
		31 | 
		32 |   ami_name                      = data.aws_ami.oracle_db.name
		33 |   ami_owner                     = var.db_ami.owner
		34 |   instance                      = local.instance_config
		35 |   ebs_kms_key_id                = var.account_config.kms_keys.general_shared
		36 |   ebs_volumes_copy_all_from_ami = true
		37 |   ebs_volume_config             = var.ebs_volume_config
		38 |   ebs_volumes                   = var.ebs_volumes
		39 |   ebs_volume_tags               = var.tags
		40 |   # route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {})) # revist
		41 |   route53_records = {
		42 |     create_internal_record = false
		43 |     create_external_record = false
		44 |   }
		45 |   iam_resource_names_prefix = "instance"
		46 |   instance_profile_policies = var.instance_profile_policies
		47 | 
		48 |   user_data_raw = base64encode(var.user_data)
		49 | 
		50 |   business_unit     = var.account_info.business_unit
		51 |   application_name  = var.account_info.application_name
		52 |   environment       = var.account_info.mp_environment
		53 |   region            = "eu-west-2"
		54 |   availability_zone = var.availability_zone
		55 |   subnet_id         = var.subnet_id
		56 |   tags = merge(var.tags,
		57 |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${local.instance_name_index}" },
		58 |     { server-type = var.server_type_tag },
		59 |     { database = local.database_tag },
		60 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		61 |   )
		62 | 
		63 |   cloudwatch_metric_alarms = merge(
		64 |     local.cloudwatch_metric_alarms.ec2
		65 |   )
		66 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["boe-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bcs" {
		2 |   name_prefix = "${var.env_name}-bcs"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bcs_instance
	File: /bcs.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bcs_instance
	File: /bcs.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bps" {
		2 |   name_prefix = "${var.env_name}-bps"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bps_instance
	File: /bps.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bps_instance
	File: /bps.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "bws" {
		2 |   name_prefix = "${var.env_name}-bws"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bws_instance
	File: /bws.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: bws_instance
	File: /bws.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.active_directory
	File: /directory_service.tf:49-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		49 | resource "aws_cloudwatch_log_group" "active_directory" {
		50 |   name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
		51 |   retention_in_days = 14
		52 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		1 | resource "aws_security_group" "dis" {
		2 |   name_prefix = "${var.env_name}-dis"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: dis_instance
	File: /dis.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: dis_instance
	File: /dis.tf:6-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.delius_mis_alarms
	File: /pagerduty.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1  | resource "aws_sns_topic" "delius_mis_alarms" {
		2  |   name = "${var.app_name}-${var.env_name}-sns-topic"
		3  | 
		4  |   tags = merge(
		5  |     var.tags,
		6  |     {
		7  |       Name = "${var.app_name}-${var.env_name}-sns-topic"
		8  |     }
		9  |   )
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /pagerduty.tf:12-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "pagerduty_core_alerts" {
		13 | 
		14 |   depends_on = [
		15 |     aws_sns_topic.delius_mis_alarms
		16 |   ]
		17 | 
		18 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		19 |   sns_topics                = [aws_sns_topic.delius_mis_alarms.name]
		20 |   pagerduty_integration_key = var.pagerduty_integration_key
		21 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.icmp
	File: /sg_legacy.tf:8-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_vpc_security_group_ingress_rule" "icmp" {
		9  |   security_group_id = aws_security_group.legacy.id
		10 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		11 |   ip_protocol       = "icmp"
		12 |   from_port         = -1
		13 |   to_port           = -1
		14 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.icmp
	File: /sg_legacy.tf:16-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		16 | resource "aws_vpc_security_group_egress_rule" "icmp" {
		17 |   security_group_id = aws_security_group.legacy.id
		18 |   cidr_ipv4         = var.environment_config.legacy_counterpart_vpc_cidr
		19 |   ip_protocol       = "icmp"
		20 |   from_port         = -1
		21 |   to_port           = -1
		22 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.http_s
	File: /sg_shared.tf:8-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		8  | resource "aws_vpc_security_group_egress_rule" "http_s" {
		9  |   for_each = toset(["80", "443"])
		10 | 
		11 |   security_group_id = aws_security_group.mis_ec2_shared.id
		12 |   cidr_ipv4         = "0.0.0.0/0"
		13 |   ip_protocol       = "tcp"
		14 |   from_port         = each.key
		15 |   to_port           = each.key
		16 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.fleet_manager
	File: /sg_shared.tf:18-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		18 | resource "aws_vpc_security_group_egress_rule" "fleet_manager" {
		19 |   security_group_id = aws_security_group.mis_ec2_shared.id
		20 |   cidr_ipv4         = "0.0.0.0/0"
		21 |   ip_protocol       = "tcp"
		22 |   from_port         = 3389
		23 |   to_port           = 3389
		24 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:26-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		26 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		27 |   security_group_id = aws_security_group.mis_ec2_shared.id
		28 |   cidr_ipv4         = "0.0.0.0/0"
		29 |   ip_protocol       = "tcp"
		30 |   from_port         = 3389
		31 |   to_port           = 3389
		32 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.fleet_manager
	File: /sg_shared.tf:26-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		26 | resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
		27 |   security_group_id = aws_security_group.mis_ec2_shared.id
		28 |   cidr_ipv4         = "0.0.0.0/0"
		29 |   ip_protocol       = "tcp"
		30 |   from_port         = 3389
		31 |   to_port           = 3389
		32 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_ssm_sessions
	File: /ssm.tf:4-16
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		4  | module "s3_bucket_ssm_sessions" {
		5  | 
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   bucket_prefix      = "${var.account_info.application_name}-${var.env_name}-ssm-sessions"
		9  |   versioning_enabled = false
		10 | 
		11 |   providers = {
		12 |     aws.bucket-replication = aws
		13 |   }
		14 | 
		15 |   tags = var.tags
		16 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_lambda_function.disable_alarms
	File: /../../../../modules/disable_alarms_lambda/main.tf:8-25
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "disable_alarms" {
		9  |   filename         = "${path.module}/lambda/disable_alarms.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "disable_alarms.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 | 
		17 |   environment {
		18 |     variables = {
		19 |       LOG_LEVEL       = var.lambda_log_level
		20 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		21 |     }
		22 |   }
		23 | 
		24 |   tags = var.tags
		25 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/disable_alarms_lambda/main.tf:27-32
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		27 | resource "aws_cloudwatch_log_group" "execution_logs" {
		28 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		29 |   retention_in_days = 7
		30 | 
		31 |   tags = var.tags
		32 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.cloudwatch_alarms_disable.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/disable_alarms_lambda/main.tf:27-32
	Calling File: /cloudwatch_disable.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		27 | resource "aws_cloudwatch_log_group" "execution_logs" {
		28 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		29 |   retention_in_days = 7
		30 | 
		31 |   tags = var.tags
		32 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_lambda_function.alarm_scheduler
	File: /../../../../modules/schedule_alarms_lambda/main.tf:8-26
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/schedule_alarms_lambda/main.tf:28-33
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.cloudwatch_alarms_schedule.aws_cloudwatch_log_group.execution_logs
	File: /../../../../modules/schedule_alarms_lambda/main.tf:28-33
	Calling File: /alarm_scheduler.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["mis-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.allow_access_to_ssm_parameter_store
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:90-99
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		90 | data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" {
		91 |   statement {
		92 |     sid    = "AllowAccessToSsmParameterStore"
		93 |     effect = "Allow"
		94 |     actions = [
		95 |       "ssm:PutParameter"
		96 |     ]
		97 |     resources = ["*"]
		98 |   }
		99 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.instance_ssm
	File: /../../../delius-core/modules/components/oracle_db_shared/iam.tf:170-220
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracledb_backups
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:22-62
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "s3_bucket_oracledb_backups" {
		23 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		24 |   bucket_name         = local.oracle_backup_bucket_prefix
		25 |   versioning_enabled  = false
		26 |   ownership_controls  = "BucketOwnerEnforced"
		27 |   replication_enabled = false
		28 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		29 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracledb_backups[0].json], [
		30 |     "{}"
		31 |   ])
		32 | 
		33 |   providers = {
		34 |     aws.bucket-replication = aws.bucket-replication
		35 |   }
		36 | 
		37 |   lifecycle_rule = [
		38 |     {
		39 |       id      = "main"
		40 |       enabled = "Enabled"
		41 |       prefix  = ""
		42 | 
		43 |       tags = {
		44 |         rule      = "log"
		45 |         autoclean = "true"
		46 |       }
		47 | 
		48 |       transition = [
		49 |         {
		50 |           days          = 90
		51 |           storage_class = "STANDARD_IA"
		52 |         }
		53 |       ]
		54 | 
		55 |       expiration = {
		56 |         days = 365
		57 |       }
		58 |     }
		59 |   ]
		60 | 
		61 |   tags = var.tags
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_oracle_statistics
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:334-375
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		334 | module "s3_bucket_oracle_statistics" {
		335 |   count = var.deploy_oracle_stats ? 1 : 0
		336 | 
		337 |   source              = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		338 |   bucket_name         = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-statistics-backup-data"
		339 |   versioning_enabled  = false
		340 |   ownership_controls  = "BucketOwnerEnforced"
		341 |   replication_enabled = false
		342 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		343 |   bucket_policy = try([data.aws_iam_policy_document.s3_bucket_oracle_statistics[0].json], [
		344 |     "{}"
		345 |   ])
		346 |   providers = {
		347 |     aws.bucket-replication = aws.bucket-replication
		348 |   }
		349 | 
		350 |   lifecycle_rule = [
		351 |     {
		352 |       id      = "main"
		353 |       enabled = "Enabled"
		354 |       prefix  = ""
		355 | 
		356 |       tags = {
		357 |         rule      = "log"
		358 |         autoclean = "true"
		359 |       }
		360 | 
		361 |       transition = [
		362 |         {
		363 |           days          = 90
		364 |           storage_class = "STANDARD_IA"
		365 |         }
		366 |       ]
		367 | 
		368 |       expiration = {
		369 |         days = 365
		370 |       }
		371 |     }
		372 |   ]
		373 | 
		374 |   tags = var.tags
		375 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_iam_policy_document.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:15-26
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		15 | data "aws_iam_policy_document" "database_dba_passwords" {
		16 |   statement {
		17 |     sid    = "OemAWSAccountToReadTheSecret"
		18 |     effect = "Allow"
		19 |     principals {
		20 |       type        = "AWS"
		21 |       identifiers = ["arn:aws:iam::${local.oem_account_id}:role/EC2OracleEnterpriseManagementSecretsRole"]
		22 |     }
		23 |     actions   = ["secretsmanager:GetSecretValue"]
		24 |     resources = ["*"]
		25 |   }
		26 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_security_group_ssh_ingress_bastion
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:76-83
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		76 | resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ingress_bastion" {
		77 |   security_group_id            = aws_security_group.db_ec2.id
		78 |   description                  = "bastion to testing db"
		79 |   from_port                    = 22
		80 |   to_port                      = 22
		81 |   ip_protocol                  = "tcp"
		82 |   referenced_security_group_id = var.bastion_sg_id
		83 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_db
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:85-91
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		85 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
		86 |   ip_protocol       = "tcp"
		87 |   from_port         = local.db_port
		88 |   to_port           = local.db_tcps_port
		89 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		90 |   security_group_id = aws_security_group.db_ec2.id
		91 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_ingress_rule.delius_db_oem_agent
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:105-111
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		105 | resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_agent" {
		106 |   ip_protocol       = "tcp"
		107 |   from_port         = 3872
		108 |   to_port           = 3872
		109 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		110 |   security_group_id = aws_security_group.db_ec2.id
		111 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_egress_rule.delius_db_oem_upload
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:113-119
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		113 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_upload" {
		114 |   ip_protocol       = "tcp"
		115 |   from_port         = 4903
		116 |   to_port           = 4903
		117 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		118 |   security_group_id = aws_security_group.db_ec2.id
		119 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_vpc_security_group_egress_rule.delius_db_oem_console
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:121-128
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		121 | resource "aws_vpc_security_group_egress_rule" "delius_db_oem_console" {
		122 |   ip_protocol = "tcp"
		123 |   from_port   = 7803
		124 |   to_port     = 7803
		125 |   cidr_ipv4   = var.account_config.shared_vpc_cidr
		126 | 
		127 |   security_group_id = aws_security_group.db_ec2.id
		128 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.oracle_db_shared["dsd-db"].s3_bucket_ssh_keys
	File: /../../../delius-core/modules/components/oracle_db_shared/ssh_keys.tf:2-45
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2  | module "s3_bucket_ssh_keys" {
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		5  | 
		6  |   bucket_name = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-ssh-keys"
		7  | 
		8  |   versioning_enabled  = false
		9  |   ownership_controls  = "BucketOwnerEnforced"
		10 |   replication_enabled = false
		11 |   custom_kms_key      = var.account_config.kms_keys.general_shared
		12 | 
		13 |   providers = {
		14 |     aws.bucket-replication = aws.bucket-replication
		15 |   }
		16 | 
		17 |   lifecycle_rule = [
		18 |     {
		19 |       id      = "main"
		20 |       enabled = "Enabled"
		21 |       prefix  = ""
		22 | 
		23 |       tags = {
		24 |         rule      = "log"
		25 |         autoclean = "true"
		26 |       }
		27 | 
		28 |       noncurrent_version_transition = [
		29 |         {
		30 |           days          = 90
		31 |           storage_class = "STANDARD_IA"
		32 |           }, {
		33 |           days          = 365
		34 |           storage_class = "GLACIER"
		35 |         }
		36 |       ]
		37 | 
		38 |       noncurrent_version_expiration = {
		39 |         days = 730
		40 |       }
		41 |     }
		42 |   ]
		43 | 
		44 |   tags = var.tags
		45 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_ssm_parameter.rman_password
	File: /../../../delius-core/modules/components/oracle_db_shared/ssm.tf:1-10
	Calling File: /databases.tf:13-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		1  | resource "aws_ssm_parameter" "rman_password" {
		2  |   name  = "/${var.account_info.application_name}-${var.env_name}/delius/oracle-${var.db_suffix}-operation/rman/rman_password"
		3  |   type  = "SecureString"
		4  |   value = "REPLACE"
		5  |   lifecycle {
		6  |     ignore_changes = [
		7  |       value,
		8  |     ]
		9  |   }
		10 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bcs
	File: /bcs.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bcs" {
		2 |   name_prefix = "${var.env_name}-bcs"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bps
	File: /bps.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bps" {
		2 |   name_prefix = "${var.env_name}-bps"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.bws
	File: /bws.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "bws" {
		2 |   name_prefix = "${var.env_name}-bws"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.dis
	File: /dis.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "dis" {
		2 |   name_prefix = "${var.env_name}-dis"
		3 |   vpc_id      = var.account_info.vpc_id
		4 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.fsx
	File: /fsx.tf:22-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		22 | resource "aws_security_group" "fsx" {
		23 |   name        = "${var.app_name}-${var.env_name}-fsx"
		24 |   description = "Security group for FSx"
		25 |   vpc_id      = var.account_info.vpc_id
		26 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.legacy
	File: /sg_legacy.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "legacy" {
		2 |   name        = "${var.env_name}-allow-legacy-traffic"
		3 |   description = "Security group to allow connectivity with resources in legacy environments. To be removed once all components have been migrated"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.mis_ec2_shared
	File: /sg_shared.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "mis_ec2_shared" {
		2 |   name        = "${var.env_name}-mis-ec2-shared"
		3 |   description = "Security group to allow connectivity within MP"
		4 |   vpc_id      = var.account_info.vpc_id
		5 |   tags        = var.tags
		6 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_security_group.db_ec2
	File: /../../../delius-core/modules/components/oracle_db_shared/sg.tf:1-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1  | resource "aws_security_group" "db_ec2" {
		2  |   name        = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg"
		3  |   description = "Controls access to db ec2 instance"
		4  |   vpc_id      = var.account_config.shared_vpc_id
		5  |   tags = merge(var.tags,
		6  |     { Name = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-ec2-instance-sg" }
		7  |   )
		8  |   lifecycle {
		9  |     create_before_destroy = true
		10 |   }
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_admin_password
	File: /directory_service.tf:29-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		29 | resource "aws_secretsmanager_secret" "ad_admin_password" {
		30 |   name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
		31 |   recovery_window_in_days = 0
		32 | 
		33 |   tags = merge(
		34 |     var.tags,
		35 |     {
		36 |       Name = "${var.app_name}-${var.env_name}-ad-admin-password"
		37 |     }
		38 |   )
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_username
	File: /secrets.tf:3-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "ad_username" {
		4 |   #checkov:skip=CKV_AWS_149
		5 |   name                    = "${var.env_name}-legacy-ad-username"
		6 |   recovery_window_in_days = 0
		7 | 
		8 |   tags = var.tags
		9 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.ad_password
	File: /secrets.tf:12-18
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		12 | resource "aws_secretsmanager_secret" "ad_password" {
		13 |   #checkov:skip=CKV_AWS_149
		14 |   name                    = "${var.env_name}-legacy-ad-password"
		15 |   recovery_window_in_days = 0
		16 | 
		17 |   tags = var.tags
		18 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_secretsmanager_secret.database_dba_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:3-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3 | resource "aws_secretsmanager_secret" "database_dba_passwords" {
		4 |   name        = local.dba_secret_name
		5 |   description = "DBA Users Credentials"
		6 |   kms_key_id  = var.account_config.kms_keys.general_shared
		7 |   tags        = var.tags
		8 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_secretsmanager_secret.database_application_passwords
	File: /../../../delius-core/modules/components/oracle_db_shared/secrets.tf:34-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		34 | resource "aws_secretsmanager_secret" "database_application_passwords" {
		35 |   name        = local.application_secret_name
		36 |   description = "Application Users Credentials"
		37 |   kms_key_id  = var.account_config.kms_keys.general_shared
		38 |   tags        = var.tags
		39 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["boe-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["mis-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: module.oracle_db_shared["dsd-db"].aws_s3_bucket.s3_bucket_oracledb_backups_inventory
	File: /../../../delius-core/modules/components/oracle_db_shared/s3.tf:188-200
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		188 | resource "aws_s3_bucket" "s3_bucket_oracledb_backups_inventory" {
		189 | 
		190 |   bucket = "${local.oracle_backup_bucket_prefix}-inventory"
		191 |   tags = merge(
		192 |     var.tags,
		193 |     {
		194 |       "Name" = "${local.oracle_backup_bucket_prefix}-inventory"
		195 |     },
		196 |     {
		197 |       "Purpose" = "Inventory of Oracle DB Backup Pieces"
		198 |     },
		199 |   )
		200 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/schedule_alarms_lambda
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 51, Failed checks: 8, Skipped checks: 0

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.alarm_scheduler
	File: /main.tf:8-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |     }
		23 |   }
		24 | 
		25 |   tags = var.tags
		26 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /main.tf:28-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /main.tf:28-33
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		28 | resource "aws_cloudwatch_log_group" "execution_logs" {
		29 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		30 |   retention_in_days = 7
		31 | 
		32 |   tags = var.tags
		33 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running tflint in terraform/environments/delius-mis/modules/mis_environment
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bcs.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bps.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/bws.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

Warning: Module source "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance" is not pinned (terraform_module_pinned_source)

  on terraform/environments/delius-mis/modules/mis_environment/dis.tf line 7:
   7:   source = "github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_pinned_source.md

tflint_exitcode=2

*****************************

Running tflint in terraform/modules/schedule_alarms_lambda
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-mis/modules/mis_environment
terraform/modules/schedule_alarms_lambda

*****************************

Running Trivy in terraform/environments/delius-mis/modules/mis_environment
2024-10-15T12:50:24Z	INFO	[vulndb] Need to update DB
2024-10-15T12:50:24Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T12:50:24Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:50:26Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T12:50:26Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T12:50:26Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T12:50:26Z	INFO	[misconfig] Need to update the built-in checks
2024-10-15T12:50:26Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-15T12:50:26Z	INFO	[secret] Secret scanning is enabled
2024-10-15T12:50:26Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T12:50:26Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T12:50:27Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T12:50:27Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="account_config, account_info, app_name, bastion_config, bcs_config, boe_db_config, bps_config, bws_config, dis_config, dsd_db_config, env_name, environment_config, fsx_config, mis_db_config, platform_vars, tags"
2024-10-15T12:50:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.ip_address" value="cty.NilVal"
2024-10-15T12:50:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.target_ip" value="cty.NilVal"
2024-10-15T12:50:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.ip_address" value="cty.NilVal"
2024-10-15T12:50:27Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="dynamic.target_ip" value="cty.NilVal"
2024-10-15T12:50:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:50:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-10-15T12:50:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T12:50:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.dynamic.tag" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts.data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.s3_bucket_ssm_sessions.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bcs_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bps_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bws_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.dis_instance[0].dynamic.private_dns_name_options" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_boe[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_dsd[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.aws_ebs_volume.this" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.dynamic.ephemeral_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_mis[0].module.instance.dynamic.ebs_block_device" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"boe-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"dsd-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-15T12:50:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.oracle_db_shared[\"mis-db\"].module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-enforce-http-token-imds" range="github.com/ministryofjustice/modernisation-platform-terraform-ec2-instance/main.tf:22"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=c918b2189d9f81d224e07e98fa1bc9ff38e4ba12/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="../../../delius-core/modules/components/oracle_db_shared/sg.tf:15"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:3-9"
2024-10-15T12:50:33Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:12-18"
2024-10-15T12:50:33Z	INFO	Number of language-specific files	num=0
2024-10-15T12:50:33Z	INFO	Detected config files	num=19

../../../delius-core/modules/components/oracle_db_shared/s3.tf (terraform)
==========================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 ../../../delius-core/modules/components/oracle_db_shared/s3.tf:204-212
   via databases.tf:13-37 (module.oracle_db_shared["boe-db"])
────────────────────────────────────────
 204resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
 205bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
 206rule {
 207apply_server_side_encryption_by_default {
 208kms_master_key_id = var.account_config.kms_keys.general_shared
 209sse_algorithm     = "aws:kms"
 210 │     }
 211 │   }
 212 └ }
────────────────────────────────────────



sg_shared.tf (terraform)
========================
Tests: 4 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 3)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Security group rule allows ingress from public internet.
════════════════════════════════════════
Security groups provide stateful filtering of ingress and egress network traffic to AWS
resources. It is recommended that no security group allows unrestricted ingress access to
remote server administration ports, such as SSH to port 22 and RDP to port 3389.


See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 sg_shared.tf:28
   via sg_shared.tf:26-32 (aws_vpc_security_group_ingress_rule.fleet_manager)
────────────────────────────────────────
  26   resource "aws_vpc_security_group_ingress_rule" "fleet_manager" {
  27     security_group_id = aws_security_group.mis_ec2_shared.id
  28 [   cidr_ipv4         = "0.0.0.0/0"
  29     ip_protocol       = "tcp"
  30     from_port         = 3389
  31     to_port           = 3389
  32   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/modules/schedule_alarms_lambda
2024-10-15T12:50:33Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T12:50:33Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-15T12:50:33Z	INFO	[secret] Secret scanning is enabled
2024-10-15T12:50:33Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T12:50:33Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T12:50:34Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-15T12:50:34Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="lambda_function_name"
2024-10-15T12:50:34Z	INFO	Number of language-specific files	num=0
2024-10-15T12:50:34Z	INFO	Detected config files	num=2
trivy_exitcode=1

@andrewmooreio andrewmooreio had a problem deploying to delius-mis-development October 15, 2024 12:51 — with GitHub Actions Failure
@andrewmooreio andrewmooreio temporarily deployed to delius-mis-development October 15, 2024 12:54 — with GitHub Actions Inactive
@andrewmooreio andrewmooreio merged commit baa78ad into main Oct 15, 2024
11 of 14 checks passed
@andrewmooreio andrewmooreio deleted the TM-570-automate-disabling-of-cloud-watch-alarms-for-non-prod-environments-mp branch October 15, 2024 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@georgepstaylor georgepstaylor georgepstaylor approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andrewmooreio @georgepstaylor