Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.15.0 in /terraform/environments/analytical-platform-ingestion #8705

dependabot · 2024-11-19T01:01:30Z

Bumps terraform-aws-modules/lambda/aws from 7.9.0 to 7.15.0.

Release notes

Sourced from terraform-aws-modules/lambda/aws's releases.

v7.15.0

7.15.0 (2024-11-18)

Features

Make source_path blocks independent (#640) (0fdac2e)

v7.14.1

7.14.1 (2024-11-17)

Bug Fixes

Skip broken symlinks on hash computing (#639) (c28b940)

v7.14.0

7.14.0 (2024-10-11)

Features

Support lambda function vpc_config.ipv6_allowed_for_dual_stack and event source mapping tags (#628) (2a602f9)

Bug Fixes

Update CI workflow versions to latest (#631) (d06718f)

v7.13.0

7.13.0 (2024-10-05)

Features

Support aws_lambda_event_source_mapping.document_db_event_source_config (#626) (5d48199)

v7.12.0

7.12.0 (2024-10-05)

Features

Add support for kafka event source config (#617) (2c077cb)

v7.11.0

7.11.0 (2024-10-01)

Features

... (truncated)

Changelog

Sourced from terraform-aws-modules/lambda/aws's changelog.

7.15.0 (2024-11-18)

Features

Make source_path blocks independent (#640) (0fdac2e)

7.14.1 (2024-11-17)

Bug Fixes

Skip broken symlinks on hash computing (#639) (c28b940)

7.14.0 (2024-10-11)

Features

Support lambda function vpc_config.ipv6_allowed_for_dual_stack and event source mapping tags (#628) (2a602f9)

Bug Fixes

Update CI workflow versions to latest (#631) (d06718f)

7.13.0 (2024-10-05)

Features

Support aws_lambda_event_source_mapping.document_db_event_source_config (#626) (5d48199)

7.12.0 (2024-10-05)

Features

Add support for kafka event source config (#617) (2c077cb)

7.11.0 (2024-10-01)

Features

Add function_url_auth_type option to aws_lambda_permission (#625) (9f13397)

7.10.0 (2024-09-29)

... (truncated)

Commits

1fe3e4a chore(release): version 7.15.0 [skip ci]
0fdac2e feat: Make source_path blocks independent (#640)
ce8417e chore(release): version 7.14.1 [skip ci]
c28b940 fix: Skip broken symlinks on hash computing (#639)
00a7172 chore(release): version 7.14.0 [skip ci]
2a602f9 feat: Support lambda function vpc_config.ipv6_allowed_for_dual_stack and ev...
d06718f fix: Update CI workflow versions to latest (#631)
7bd028b chore(release): version 7.13.0 [skip ci]
5d48199 feat: Support `aws_lambda_event_source_mapping.document_db_event_source_confi...
9be9b1a chore(release): version 7.12.0 [skip ci]
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [terraform-aws-modules/lambda/aws](https://github.com/terraform-aws-modules/terraform-aws-lambda) from 7.9.0 to 7.15.0. - [Release notes](https://github.com/terraform-aws-modules/terraform-aws-lambda/releases) - [Changelog](https://github.com/terraform-aws-modules/terraform-aws-lambda/blob/master/CHANGELOG.md) - [Commits](terraform-aws-modules/terraform-aws-lambda@v7.9.0...v7.15.0) --- updated-dependencies: - dependency-name: terraform-aws-modules/lambda/aws dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-11-19T01:04:00Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-11-19T01:03:43Z INFO [vulndb] Need to update DB
2024-11-19T01:03:43Z INFO [vulndb] Downloading vulnerability DB...
2024-11-19T01:03:43Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-19T01:03:45Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-19T01:03:45Z INFO [vuln] Vulnerability scanning is enabled
2024-11-19T01:03:45Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-19T01:03:45Z INFO [misconfig] Need to update the built-in checks
2024-11-19T01:03:45Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-19T01:03:45Z INFO [secret] Secret scanning is enabled
2024-11-19T01:03:45Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-19T01:03:45Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-19T01:03:46Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-19T01:03:46Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-19T01:03:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-11-19T01:03:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-11-19T01:03:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:54Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-19T01:03:54Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-11-19T01:03:54Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-11-19T01:03:54Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-19T01:03:54Z INFO Number of language-specific files num=0
2024-11-19T01:03:54Z INFO Detected config files num=8

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 ┌ resource "aws_lb" "this" {
13 │ count = local.create ? 1 : 0
14 │
15 │ dynamic "access_logs" {
16 │ for_each = length(var.access_logs) > 0 ? [var.access_logs] : []
17 │
18 │ content {
19 │ bucket = access_logs.value.bucket
20 └ enabled = try(access_logs.value.enabled, true)
..
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-19 01:03:57,103 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,103 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,103 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,103 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-rule-associations:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,103 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,103 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,104 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,104 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-endpoints:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,104 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.15.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,104 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,104 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,104 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,105 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,105 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,105 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,105 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,105 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.1 (for external modules, the --download-external-modules flag is required)
2024-11-19 01:03:57,123 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-19 01:03:57,124 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 212, Failed checks: 2, Skipped checks: 77

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_route53_resolver_associations
	File: /route53-resolver-associations.tf:1-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_route53_resolver_associations" {
		2  | 
		3  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-rule-associations"
		4  |   version = "4.1.0"
		5  | 
		6  |   vpc_id = module.connected_vpc.vpc_id
		7  | 
		8  |   resolver_rule_associations = {
		9  |     mojo-dns-resolver-dom1-infra-int = {
		10 |       resolver_rule_id = aws_route53_resolver_rule.mojo_dns_resolver_dom1_infra_int.id
		11 |     }
		12 |   }
		13 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: connected_vpc_outbound_route53_resolver_endpoint
	File: /route53-resolver-endpoints.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "connected_vpc_outbound_route53_resolver_endpoint" {
		2  |   source  = "terraform-aws-modules/route53/aws//modules/resolver-endpoints"
		3  |   version = "4.1.0"
		4  | 
		5  |   name      = "connected-vpc-outbound"
		6  |   vpc_id    = module.connected_vpc.vpc_id
		7  |   direction = "OUTBOUND"
		8  |   protocols = ["Do53"]
		9  | 
		10 |   ip_address = [
		11 |     {
		12 |       subnet_id = module.connected_vpc.private_subnets[0]
		13 |     },
		14 |     {
		15 |       subnet_id = module.connected_vpc.private_subnets[1]
		16 |     }
		17 |   ]
		18 | 
		19 |   security_group_ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block]
		20 |   security_group_egress_cidr_blocks = [
		21 |     /* MoJO DNS Resolver Service */
		22 |     "10.180.80.5/32",
		23 |     "10.180.81.5/32"
		24 |   ]
		25 | 
		26 |   tags = local.tags
		27 | }

checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-11-19T01:03:43Z	INFO	[vulndb] Need to update DB
2024-11-19T01:03:43Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-19T01:03:43Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-19T01:03:45Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-19T01:03:45Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-19T01:03:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-19T01:03:45Z	INFO	[misconfig] Need to update the built-in checks
2024-11-19T01:03:45Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-19T01:03:45Z	INFO	[secret] Secret scanning is enabled
2024-11-19T01:03:45Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-19T01:03:45Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-19T01:03:46Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-19T01:03:46Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-19T01:03:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-11-19T01:03:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-11-19T01:03:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-19T01:03:54Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-19T01:03:54Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-11-19T01:03:54Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-11-19T01:03:54Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-19T01:03:54Z	INFO	Number of language-specific files	num=0
2024-11-19T01:03:54Z	INFO	Detected config files	num=8

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81
   via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12 ┌ resource "aws_lb" "this" {
  13 │   count = local.create ? 1 : 0
  14 │ 
  15 │   dynamic "access_logs" {
  16 │     for_each = length(var.access_logs) > 0 ? [var.access_logs] : []
  17 │ 
  18 │     content {
  19 │       bucket  = access_logs.value.bucket
  20 └       enabled = try(access_logs.value.enabled, true)
  ..   
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

dependabot · 2024-11-28T01:06:53Z

Superseded by #8849.

dependabot bot added the dependencies Pull requests that update a dependency file label Nov 19, 2024

dependabot bot requested a review from a team as a code owner November 19, 2024 01:01

dependabot bot added the terraform Pull requests that update Terraform code label Nov 19, 2024

dependabot bot requested a review from a team as a code owner November 19, 2024 01:01

dependabot bot mentioned this pull request Nov 19, 2024

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.14.0 in /terraform/environments/analytical-platform-ingestion #8195

Closed

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Nov 19, 2024

dependabot bot closed this Nov 28, 2024

dependabot bot deleted the dependabot/terraform/terraform/environments/analytical-platform-ingestion/terraform-aws-modules/lambda/aws-7.15.0 branch November 28, 2024 01:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.15.0 in /terraform/environments/analytical-platform-ingestion #8705

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.15.0 in /terraform/environments/analytical-platform-ingestion #8705

dependabot bot commented on behalf of github Nov 19, 2024

github-actions bot commented Nov 19, 2024

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

dependabot bot commented on behalf of github Nov 28, 2024

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.15.0 in /terraform/environments/analytical-platform-ingestion #8705

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.15.0 in /terraform/environments/analytical-platform-ingestion #8705

Conversation

dependabot bot commented on behalf of github Nov 19, 2024

v7.15.0

7.15.0 (2024-11-18)

Features

v7.14.1

7.14.1 (2024-11-17)

Bug Fixes

v7.14.0

7.14.0 (2024-10-11)

Features

Bug Fixes

v7.13.0

7.13.0 (2024-10-05)

Features

v7.12.0

7.12.0 (2024-10-05)

Features

v7.11.0

7.11.0 (2024-10-01)

Features

7.15.0 (2024-11-18)

Features

7.14.1 (2024-11-17)

Bug Fixes

7.14.0 (2024-10-11)

Features

Bug Fixes

7.13.0 (2024-10-05)

Features

7.12.0 (2024-10-05)

Features

7.11.0 (2024-10-01)

Features

7.10.0 (2024-09-29)

github-actions bot commented Nov 19, 2024

Trivy Scan Failed

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

CTFLint Scan Success

Trivy Scan Failed

dependabot bot commented on behalf of github Nov 28, 2024

`Trivy Scan` Failed

`CTFLint Scan` Success

`Trivy Scan` Failed