Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oasys: INC2742748: ip allow list update #8747

Merged
merged 6 commits into from
Nov 22, 2024
Merged

Oasys: INC2742748: ip allow list update #8747

merged 6 commits into from
Nov 22, 2024

Conversation

drobinson-moj
Copy link
Contributor

@drobinson-moj drobinson-moj commented Nov 22, 2024
edited
Loading

Tidy up of Oasys ip allow list rules including naming fix for azure landing zone IPs:

  • digital_prisons IPs are actually azure landing zone IPs, corrected names
  • included azure landing zones in trusted_moj_digital_staff_public
  • remove CP internal IPs from the public allow listing as they aren't needed
  • added additional IPs for serco
  • removed duplicate IPs
  • set preprod http_external to same as prod to ensure we can test it properly

Checked the plan and looks fine, but will deploy to preprod first just in case we hit a maximum number of rules limit

@drobinson-moj drobinson-moj requested review from a team as code owners November 22, 2024 09:34
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Nov 22, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

Running Trivy in terraform/environments/delius-jitbit
2024-11-22T09:37:06Z INFO [vulndb] Need to update DB
2024-11-22T09:37:06Z INFO [vulndb] Downloading vulnerability DB...
2024-11-22T09:37:06Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:37:08Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:37:08Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:37:08Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:37:08Z INFO [misconfig] Need to update the built-in checks
2024-11-22T09:37:08Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-22T09:37:08Z INFO [secret] Secret scanning is enabled
2024-11-22T09:37:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:37:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:37:09Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:37:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-22T09:37:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_egress_rule.load_balancer_egress_rule" value="cty.NilVal"
2024-11-22T09:37:09Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule" value="cty.NilVal"
2024-11-22T09:37:10Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open cluster: no such file or directory"
2024-11-22T09:37:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:37:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:37:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:11Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.shield.aws_wafv2_web_acl_association.this" value="cty.NilVal"
2024-11-22T09:37:13Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:5-15"
2024-11-22T09:37:13Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:37:13Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:37:13Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-22T09:37:13Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:150-156"
2024-11-22T09:37:13Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="lb.tf:14"
2024-11-22T09:37:13Z INFO Number of language-specific files num=0
2024-11-22T09:37:13Z INFO Detected config files num=14
trivy_exitcode=0

Running Trivy in terraform/environments/oasys
2024-11-22T09:37:13Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:37:13Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:37:13Z INFO [secret] Secret scanning is enabled
2024-11-22T09:37:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:37:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:37:14Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:37:14Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_backup_plan.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_backup_selection.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_group.route53" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_group.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_metric_filter.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_metric_alarm.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_policy.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_role.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_service_linked_role.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_key_pair.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_kms_grant.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_lb_target_group.instance" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_lb_target_group_attachment.instance" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_link.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_sink.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_sink_policy.monitoring_account_oam_sink_policy" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_query_log.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.core_network_services" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.core_vpc" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.self" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_endpoint.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_rule.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_rule_association.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_zone.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_secretsmanager_secret.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_secretsmanager_secret_version.fixed" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group_rule.route53_resolver" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group_rule.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_sns_topic.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_sns_topic_subscription.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_association.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_document.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_parameter.fixed" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_parameter.placeholder" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.assume_role" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.secretsmanager_secret_policy" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.acm_certificate" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.cloudwatch_dashboard" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.ec2_autoscaling_group" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.ec2_instance" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.efs" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.fsx_windows" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.lb" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.lb_listener" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.s3_bucket" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.random_password.secrets" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.random_password.this" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_subnet.this" value="cty.NilVal"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_subnets.this" value="cty.NilVal"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=836db079348a2b40d59bd9cb953111e8ad61aec1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-11-22T09:37:17Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0/main.tf:150-160"
2024-11-22T09:37:17Z INFO Number of language-specific files num=0
2024-11-22T09:37:17Z INFO Detected config files num=3
trivy_exitcode=0

Running Trivy in terraform/modules/ip_addresses
2024-11-22T09:37:17Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:37:17Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:37:17Z INFO [secret] Secret scanning is enabled
2024-11-22T09:37:17Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:37:17Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:37:18Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:37:18Z INFO Number of language-specific files num=0
2024-11-22T09:37:18Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running Checkov in terraform/environments/delius-jitbit
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-22 09:37:21,373 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:37:21,373 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:37:21,374 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:37:21,374 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:37:21,374 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 322, Failed checks: 69, Skipped checks: 20

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # custom scaling schedule
		33 |   autoscaling_cron = {
		34 |     "down" : "0 21 * * *",
		35 |     "up" : "0 05 * * *"
		36 |   }
		37 | 
		38 |   # Tags
		39 |   tags_common = local.tags
		40 |   tags_prefix = terraform.workspace
		41 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group_fargate
	File: /lb.tf:97-127

		97  | resource "aws_lb_target_group" "target_group_fargate" {
		98  |   # checkov:skip=CKV_AWS_261
		99  | 
		100 |   name                 = local.application_name
		101 |   port                 = local.app_port
		102 |   protocol             = "HTTP"
		103 |   vpc_id               = data.aws_vpc.shared.id
		104 |   target_type          = "ip"
		105 |   deregistration_delay = 30
		106 | 
		107 |   stickiness {
		108 |     type = "lb_cookie"
		109 |   }
		110 | 
		111 |   health_check {
		112 |     path                = "/User/Login?ReturnUrl=%2f"
		113 |     healthy_threshold   = "5"
		114 |     interval            = "120"
		115 |     protocol            = "HTTP"
		116 |     unhealthy_threshold = "2"
		117 |     matcher             = "200-499"
		118 |     timeout             = "5"
		119 |   }
		120 | 
		121 |   tags = merge(
		122 |     local.tags,
		123 |     {
		124 |       Name = local.application_name
		125 |     }
		126 |   )
		127 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_sandbox
	File: /sandbox_ecs.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ecs_sandbox" {
		2  |   count = local.is-development ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		5  | 
		6  |   environment = local.environment
		7  |   name        = "${local.application_name}-sandbox"
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment_sandbox
	File: /sandbox_ecs.tf:12-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "s3_bucket_app_deployment_sandbox" {
		13 |   count = local.is-development ? 1 : 0
		14 | 
		15 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		16 | 
		17 |   providers = {
		18 |     aws.bucket-replication = aws
		19 |   }
		20 |   bucket_name        = "${local.application_name}-sandbox-deployment"
		21 |   versioning_enabled = true
		22 | 
		23 |   ownership_controls = "BucketOwnerEnforced"
		24 | 
		25 |   lifecycle_rule = [
		26 |     {
		27 |       id      = "main"
		28 |       enabled = "Enabled"
		29 |       prefix  = ""
		30 | 
		31 |       tags = {
		32 |         rule      = "log"
		33 |         autoclean = "true"
		34 |       }
		35 | 
		36 |       noncurrent_version_transition = [
		37 |         {
		38 |           days          = 90
		39 |           storage_class = "STANDARD_IA"
		40 |           }, {
		41 |           days          = 365
		42 |           storage_class = "GLACIER"
		43 |         }
		44 |       ]
		45 | 
		46 |       noncurrent_version_expiration = {
		47 |         days = 730
		48 |       }
		49 |     }
		50 |   ]
		51 | 
		52 |   tags = local.tags
		53 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group_fargate_sandbox
	File: /sandbox_lb.tf:18-50

		18 | resource "aws_lb_target_group" "target_group_fargate_sandbox" {
		19 |   # checkov:skip=CKV_AWS_261
		20 | 
		21 |   count = local.is-development ? 1 : 0
		22 | 
		23 |   name                 = "${local.application_name}-sandbox"
		24 |   port                 = local.app_port
		25 |   protocol             = "HTTP"
		26 |   vpc_id               = data.aws_vpc.shared.id
		27 |   target_type          = "ip"
		28 |   deregistration_delay = 30
		29 | 
		30 |   stickiness {
		31 |     type = "lb_cookie"
		32 |   }
		33 | 
		34 |   health_check {
		35 |     path                = "/User/Login?ReturnUrl=%2f"
		36 |     healthy_threshold   = "5"
		37 |     interval            = "30"
		38 |     protocol            = "HTTP"
		39 |     unhealthy_threshold = "2"
		40 |     matcher             = "200-499"
		41 |     timeout             = "5"
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "${local.application_name}-sandbox"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket_sandbox
	File: /sandbox_s3.tf:1-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.jitbit_ses_smtp_user
	File: /ses.tf:101-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		101 | resource "aws_iam_user" "jitbit_ses_smtp_user" {
		102 |   name = "${local.environment}-jitbit-smtp-user"
		103 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jitbit_ses_smtp_user
	File: /ses.tf:128-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "jitbit_ses_smtp_user" {
		129 |   name = "/${local.environment}/jitbit/ses_smtp"
		130 |   type = "SecureString"
		131 |   value = jsonencode({
		132 |     user              = aws_iam_user.jitbit_ses_smtp_user.name,
		133 |     key               = aws_iam_access_key.jitbit_ses_smtp_user.id,
		134 |     secret            = aws_iam_access_key.jitbit_ses_smtp_user.secret
		135 |     ses_smtp_user     = aws_iam_access_key.jitbit_ses_smtp_user.id
		136 |     ses_smtp_password = aws_iam_access_key.jitbit_ses_smtp_user.ses_smtp_password_v4
		137 |   })
		138 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic_bounce_email_notification
	File: /ses_bounce.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
		2 |   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
		3 | 
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled"
	FAILED for resource: aws_dynamodb_table.bounce_email_notification
	File: /ses_bounce.tf:126-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-6

		126 | resource "aws_dynamodb_table" "bounce_email_notification" {
		127 |   name         = "bounce_email_notification"
		128 |   billing_mode = "PAY_PER_REQUEST"
		129 |   hash_key     = "email_ticket_id"
		130 | 
		131 |   server_side_encryption {
		132 |     enabled     = true
		133 |     kms_key_arn = data.aws_kms_key.general_shared.arn
		134 |   }
		135 | 
		136 |   ttl {
		137 |     attribute_name = "expireAt"
		138 |     enabled        = true
		139 |   }
		140 | 
		141 |   attribute {
		142 |     name = "email_ticket_id"
		143 |     type = "S"
		144 |   }
		145 | 
		146 |   tags = local.tags
		147 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic
	File: /ses_logging.tf:4-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		4 | resource "aws_sns_topic" "jitbit_ses_destination_topic" {
		5 |   name = format("%s-ses-destination-topic", local.application_name)
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.sns_logs
	File: /ses_logging.tf:59-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "sns_logs" {
		60 |   name              = format("%s-ses-logs", local.application_name)
		61 |   retention_in_days = local.application_data.accounts[local.environment].ses_log_retention_days
		62 | 
		63 |   tags = local.tags
		64 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.shield.aws_cloudwatch_log_group.waf[0]
	File: /../../modules/shield_advanced/shield.tf:94-98
	Calling File: /waf.tf:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "waf" {
		95 |   count             = var.enable_logging ? 1 : 0
		96 |   name              = "aws-waf-logs-${data.external.shield_waf.result["name"]}"
		97 |   retention_in_days = var.log_retention_in_days
		98 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.shield.aws_cloudwatch_log_group.waf[0]
	File: /../../modules/shield_advanced/shield.tf:94-98
	Calling File: /waf.tf:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "waf" {
		95 |   count             = var.enable_logging ? 1 : 0
		96 |   name              = "aws-waf-logs-${data.external.shield_waf.result["name"]}"
		97 |   retention_in_days = var.log_retention_in_days
		98 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string_sandbox
	File: /sandbox_secrets.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2  | resource "aws_secretsmanager_secret" "db_app_connection_string_sandbox" {
		3  |   count = local.is-development ? 1 : 0
		4  |   #checkov:skip=CKV_AWS_149
		5  |   name                    = "${var.networking[0].application}-app-connection-string-sandbox"
		6  |   recovery_window_in_days = 0
		7  |   tags = merge(
		8  |     local.tags,
		9  |     {
		10 |       Name = "${var.networking[0].application}-app-connection-string-sandbox"
		11 |     },
		12 |   )
		13 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit
	File: /ecs.tf:53-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		53 | resource "aws_security_group" "jitbit" {
		54 |   vpc_id      = data.aws_vpc.shared.id
		55 |   name        = format("hmpps-%s-%s-service", local.environment, local.application_name)
		56 |   description = "Security group for the ${local.application_name} service"
		57 |   tags        = local.tags
		58 | 
		59 |   lifecycle {
		60 |     create_before_destroy = true
		61 |   }
		62 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit_sandbox
	File: /sandbox_ecs.tf:55-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		55 | resource "aws_security_group" "jitbit_sandbox" {
		56 |   count = local.is-development ? 1 : 0
		57 | 
		58 |   vpc_id      = data.aws_vpc.shared.id
		59 |   name        = format("hmpps-%s-%s-service", "sandbox", local.application_name)
		60 |   description = "Security group for the ${local.application_name} service"
		61 |   tags        = local.tags
		62 | 
		63 |   lifecycle {
		64 |     create_before_destroy = true
		65 |   }
		66 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/oasys
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-22 09:37:28,732 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:37:29,314 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:37:33,229 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:37:33,261 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:37:34,505 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:37:34,536 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:37:35,599 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:37:35,632 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:37:36,671 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:37:36,703 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
terraform scan results:

Passed checks: 177, Failed checks: 8, Skipped checks: 24

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/modules/ip_addresses
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39

checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/ses_logging.tf line 30:
  30: data "archive_file" "lambda_function_payload" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "external" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/waf.tf line 57:
  57: data "external" "shield_waf" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/oasys
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

*****************************

Running tflint in terraform/modules/ip_addresses
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Duplicate key: "ark_dc_external_internet", first defined at terraform/modules/ip_addresses/moj.tf:30,5-29 (terraform_map_duplicate_keys)

  on terraform/modules/ip_addresses/moj.tf line 55:
  55:     ark_dc_external_internet = [

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_map_duplicate_keys.md

tflint_exitcode=4

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running Trivy in terraform/environments/delius-jitbit
2024-11-22T09:37:06Z	INFO	[vulndb] Need to update DB
2024-11-22T09:37:06Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-22T09:37:06Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:37:08Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:37:08Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:37:08Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:37:08Z	INFO	[misconfig] Need to update the built-in checks
2024-11-22T09:37:08Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-22T09:37:08Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:37:08Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:37:08Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:37:09Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:37:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-22T09:37:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_egress_rule.load_balancer_egress_rule" value="cty.NilVal"
2024-11-22T09:37:09Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule" value="cty.NilVal"
2024-11-22T09:37:10Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open cluster: no such file or directory"
2024-11-22T09:37:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:37:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:37:11Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:11Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:11Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.shield.aws_wafv2_web_acl_association.this" value="cty.NilVal"
2024-11-22T09:37:13Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:5-15"
2024-11-22T09:37:13Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:37:13Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:37:13Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-22T09:37:13Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="iam.tf:150-156"
2024-11-22T09:37:13Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="lb.tf:14"
2024-11-22T09:37:13Z	INFO	Number of language-specific files	num=0
2024-11-22T09:37:13Z	INFO	Detected config files	num=14
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/oasys
2024-11-22T09:37:13Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:37:13Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:37:13Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:37:13Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:37:13Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:37:14Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:37:14Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_backup_plan.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_backup_selection.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_group.route53" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_group.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_metric_filter.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_metric_alarm.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_policy.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_role.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_service_linked_role.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_key_pair.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_kms_grant.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_lb_target_group.instance" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_lb_target_group_attachment.instance" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_link.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_sink.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_sink_policy.monitoring_account_oam_sink_policy" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_query_log.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.core_network_services" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.core_vpc" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.self" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_endpoint.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_rule.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_rule_association.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_zone.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_secretsmanager_secret.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_secretsmanager_secret_version.fixed" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group_rule.route53_resolver" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group_rule.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_sns_topic.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_sns_topic_subscription.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_association.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_document.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_parameter.fixed" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_parameter.placeholder" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.assume_role" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.secretsmanager_secret_policy" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.acm_certificate" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.cloudwatch_dashboard" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.ec2_autoscaling_group" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.ec2_instance" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.efs" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.fsx_windows" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.lb" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.lb_listener" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.s3_bucket" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.random_password.secrets" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.random_password.this" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_subnet.this" value="cty.NilVal"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_subnets.this" value="cty.NilVal"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:37:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=836db079348a2b40d59bd9cb953111e8ad61aec1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-11-22T09:37:17Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0/main.tf:150-160"
2024-11-22T09:37:17Z	INFO	Number of language-specific files	num=0
2024-11-22T09:37:17Z	INFO	Detected config files	num=3
trivy_exitcode=0

*****************************

Running Trivy in terraform/modules/ip_addresses
2024-11-22T09:37:17Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:37:17Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:37:17Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:37:17Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:37:17Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:37:18Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:37:18Z	INFO	Number of language-specific files	num=0
2024-11-22T09:37:18Z	INFO	Detected config files	num=1
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

Running Trivy in terraform/environments/delius-jitbit
2024-11-22T09:47:16Z INFO [vulndb] Need to update DB
2024-11-22T09:47:16Z INFO [vulndb] Downloading vulnerability DB...
2024-11-22T09:47:16Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:47:18Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:47:18Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:47:18Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:47:18Z INFO [misconfig] Need to update the built-in checks
2024-11-22T09:47:18Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-22T09:47:19Z INFO [secret] Secret scanning is enabled
2024-11-22T09:47:19Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:47:19Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:47:20Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:47:20Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-22T09:47:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_egress_rule.load_balancer_egress_rule" value="cty.NilVal"
2024-11-22T09:47:20Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule" value="cty.NilVal"
2024-11-22T09:47:22Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open cluster: no such file or directory"
2024-11-22T09:47:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:47:23Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:47:23Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:23Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:24Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.shield.aws_wafv2_web_acl_association.this" value="cty.NilVal"
2024-11-22T09:47:26Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:150-156"
2024-11-22T09:47:26Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="lb.tf:14"
2024-11-22T09:47:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:47:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:47:26Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-22T09:47:26Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:5-15"
2024-11-22T09:47:26Z INFO Number of language-specific files num=0
2024-11-22T09:47:26Z INFO Detected config files num=14
trivy_exitcode=0

Running Trivy in terraform/environments/oasys
2024-11-22T09:47:26Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:47:26Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:47:26Z INFO [secret] Secret scanning is enabled
2024-11-22T09:47:26Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:47:26Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:47:28Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:47:28Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_backup_plan.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_backup_selection.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_group.route53" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_group.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_metric_filter.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_metric_alarm.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_policy.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_role.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_service_linked_role.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_key_pair.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_kms_grant.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_lb_target_group.instance" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_lb_target_group_attachment.instance" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_link.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_sink.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_sink_policy.monitoring_account_oam_sink_policy" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_query_log.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.core_network_services" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.core_vpc" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.self" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_endpoint.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_rule.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_rule_association.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_zone.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_secretsmanager_secret.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_secretsmanager_secret_version.fixed" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group_rule.route53_resolver" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group_rule.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_sns_topic.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_sns_topic_subscription.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_association.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_document.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_parameter.fixed" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_parameter.placeholder" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.assume_role" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.secretsmanager_secret_policy" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.this" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.acm_certificate" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.cloudwatch_dashboard" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.ec2_autoscaling_group" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.ec2_instance" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.efs" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.fsx_windows" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.lb" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.lb_listener" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.s3_bucket" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.random_password.secrets" value="cty.NilVal"
2024-11-22T09:47:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.random_password.this" value="cty.NilVal"
2024-11-22T09:47:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:47:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:47:29Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:29Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:30Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:30Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_subnet.this" value="cty.NilVal"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_subnets.this" value="cty.NilVal"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:32Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=836db079348a2b40d59bd9cb953111e8ad61aec1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-11-22T09:47:32Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0/main.tf:150-160"
2024-11-22T09:47:32Z INFO Number of language-specific files num=0
2024-11-22T09:47:32Z INFO Detected config files num=3
trivy_exitcode=0

Running Trivy in terraform/modules/ip_addresses
2024-11-22T09:47:32Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:47:32Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:47:32Z INFO [secret] Secret scanning is enabled
2024-11-22T09:47:32Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:47:32Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:47:33Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:47:33Z INFO Number of language-specific files num=0
2024-11-22T09:47:33Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running Checkov in terraform/environments/delius-jitbit
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-22 09:47:36,605 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:47:36,605 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:47:36,605 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:47:36,605 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:47:36,605 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 322, Failed checks: 69, Skipped checks: 20

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # custom scaling schedule
		33 |   autoscaling_cron = {
		34 |     "down" : "0 21 * * *",
		35 |     "up" : "0 05 * * *"
		36 |   }
		37 | 
		38 |   # Tags
		39 |   tags_common = local.tags
		40 |   tags_prefix = terraform.workspace
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group_fargate
	File: /lb.tf:97-127

		97  | resource "aws_lb_target_group" "target_group_fargate" {
		98  |   # checkov:skip=CKV_AWS_261
		99  | 
		100 |   name                 = local.application_name
		101 |   port                 = local.app_port
		102 |   protocol             = "HTTP"
		103 |   vpc_id               = data.aws_vpc.shared.id
		104 |   target_type          = "ip"
		105 |   deregistration_delay = 30
		106 | 
		107 |   stickiness {
		108 |     type = "lb_cookie"
		109 |   }
		110 | 
		111 |   health_check {
		112 |     path                = "/User/Login?ReturnUrl=%2f"
		113 |     healthy_threshold   = "5"
		114 |     interval            = "120"
		115 |     protocol            = "HTTP"
		116 |     unhealthy_threshold = "2"
		117 |     matcher             = "200-499"
		118 |     timeout             = "5"
		119 |   }
		120 | 
		121 |   tags = merge(
		122 |     local.tags,
		123 |     {
		124 |       Name = local.application_name
		125 |     }
		126 |   )
		127 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_sandbox
	File: /sandbox_ecs.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ecs_sandbox" {
		2  |   count = local.is-development ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		5  | 
		6  |   environment = local.environment
		7  |   name        = "${local.application_name}-sandbox"
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment_sandbox
	File: /sandbox_ecs.tf:12-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "s3_bucket_app_deployment_sandbox" {
		13 |   count = local.is-development ? 1 : 0
		14 | 
		15 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		16 | 
		17 |   providers = {
		18 |     aws.bucket-replication = aws
		19 |   }
		20 |   bucket_name        = "${local.application_name}-sandbox-deployment"
		21 |   versioning_enabled = true
		22 | 
		23 |   ownership_controls = "BucketOwnerEnforced"
		24 | 
		25 |   lifecycle_rule = [
		26 |     {
		27 |       id      = "main"
		28 |       enabled = "Enabled"
		29 |       prefix  = ""
		30 | 
		31 |       tags = {
		32 |         rule      = "log"
		33 |         autoclean = "true"
		34 |       }
		35 | 
		36 |       noncurrent_version_transition = [
		37 |         {
		38 |           days          = 90
		39 |           storage_class = "STANDARD_IA"
		40 |           }, {
		41 |           days          = 365
		42 |           storage_class = "GLACIER"
		43 |         }
		44 |       ]
		45 | 
		46 |       noncurrent_version_expiration = {
		47 |         days = 730
		48 |       }
		49 |     }
		50 |   ]
		51 | 
		52 |   tags = local.tags
		53 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group_fargate_sandbox
	File: /sandbox_lb.tf:18-50

		18 | resource "aws_lb_target_group" "target_group_fargate_sandbox" {
		19 |   # checkov:skip=CKV_AWS_261
		20 | 
		21 |   count = local.is-development ? 1 : 0
		22 | 
		23 |   name                 = "${local.application_name}-sandbox"
		24 |   port                 = local.app_port
		25 |   protocol             = "HTTP"
		26 |   vpc_id               = data.aws_vpc.shared.id
		27 |   target_type          = "ip"
		28 |   deregistration_delay = 30
		29 | 
		30 |   stickiness {
		31 |     type = "lb_cookie"
		32 |   }
		33 | 
		34 |   health_check {
		35 |     path                = "/User/Login?ReturnUrl=%2f"
		36 |     healthy_threshold   = "5"
		37 |     interval            = "30"
		38 |     protocol            = "HTTP"
		39 |     unhealthy_threshold = "2"
		40 |     matcher             = "200-499"
		41 |     timeout             = "5"
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "${local.application_name}-sandbox"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket_sandbox
	File: /sandbox_s3.tf:1-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.jitbit_ses_smtp_user
	File: /ses.tf:101-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		101 | resource "aws_iam_user" "jitbit_ses_smtp_user" {
		102 |   name = "${local.environment}-jitbit-smtp-user"
		103 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jitbit_ses_smtp_user
	File: /ses.tf:128-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "jitbit_ses_smtp_user" {
		129 |   name = "/${local.environment}/jitbit/ses_smtp"
		130 |   type = "SecureString"
		131 |   value = jsonencode({
		132 |     user              = aws_iam_user.jitbit_ses_smtp_user.name,
		133 |     key               = aws_iam_access_key.jitbit_ses_smtp_user.id,
		134 |     secret            = aws_iam_access_key.jitbit_ses_smtp_user.secret
		135 |     ses_smtp_user     = aws_iam_access_key.jitbit_ses_smtp_user.id
		136 |     ses_smtp_password = aws_iam_access_key.jitbit_ses_smtp_user.ses_smtp_password_v4
		137 |   })
		138 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic_bounce_email_notification
	File: /ses_bounce.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
		2 |   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
		3 | 
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled"
	FAILED for resource: aws_dynamodb_table.bounce_email_notification
	File: /ses_bounce.tf:126-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-6

		126 | resource "aws_dynamodb_table" "bounce_email_notification" {
		127 |   name         = "bounce_email_notification"
		128 |   billing_mode = "PAY_PER_REQUEST"
		129 |   hash_key     = "email_ticket_id"
		130 | 
		131 |   server_side_encryption {
		132 |     enabled     = true
		133 |     kms_key_arn = data.aws_kms_key.general_shared.arn
		134 |   }
		135 | 
		136 |   ttl {
		137 |     attribute_name = "expireAt"
		138 |     enabled        = true
		139 |   }
		140 | 
		141 |   attribute {
		142 |     name = "email_ticket_id"
		143 |     type = "S"
		144 |   }
		145 | 
		146 |   tags = local.tags
		147 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic
	File: /ses_logging.tf:4-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		4 | resource "aws_sns_topic" "jitbit_ses_destination_topic" {
		5 |   name = format("%s-ses-destination-topic", local.application_name)
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.sns_logs
	File: /ses_logging.tf:59-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "sns_logs" {
		60 |   name              = format("%s-ses-logs", local.application_name)
		61 |   retention_in_days = local.application_data.accounts[local.environment].ses_log_retention_days
		62 | 
		63 |   tags = local.tags
		64 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.shield.aws_cloudwatch_log_group.waf[0]
	File: /../../modules/shield_advanced/shield.tf:94-98
	Calling File: /waf.tf:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "waf" {
		95 |   count             = var.enable_logging ? 1 : 0
		96 |   name              = "aws-waf-logs-${data.external.shield_waf.result["name"]}"
		97 |   retention_in_days = var.log_retention_in_days
		98 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.shield.aws_cloudwatch_log_group.waf[0]
	File: /../../modules/shield_advanced/shield.tf:94-98
	Calling File: /waf.tf:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "waf" {
		95 |   count             = var.enable_logging ? 1 : 0
		96 |   name              = "aws-waf-logs-${data.external.shield_waf.result["name"]}"
		97 |   retention_in_days = var.log_retention_in_days
		98 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string_sandbox
	File: /sandbox_secrets.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2  | resource "aws_secretsmanager_secret" "db_app_connection_string_sandbox" {
		3  |   count = local.is-development ? 1 : 0
		4  |   #checkov:skip=CKV_AWS_149
		5  |   name                    = "${var.networking[0].application}-app-connection-string-sandbox"
		6  |   recovery_window_in_days = 0
		7  |   tags = merge(
		8  |     local.tags,
		9  |     {
		10 |       Name = "${var.networking[0].application}-app-connection-string-sandbox"
		11 |     },
		12 |   )
		13 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit
	File: /ecs.tf:53-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		53 | resource "aws_security_group" "jitbit" {
		54 |   vpc_id      = data.aws_vpc.shared.id
		55 |   name        = format("hmpps-%s-%s-service", local.environment, local.application_name)
		56 |   description = "Security group for the ${local.application_name} service"
		57 |   tags        = local.tags
		58 | 
		59 |   lifecycle {
		60 |     create_before_destroy = true
		61 |   }
		62 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit_sandbox
	File: /sandbox_ecs.tf:55-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		55 | resource "aws_security_group" "jitbit_sandbox" {
		56 |   count = local.is-development ? 1 : 0
		57 | 
		58 |   vpc_id      = data.aws_vpc.shared.id
		59 |   name        = format("hmpps-%s-%s-service", "sandbox", local.application_name)
		60 |   description = "Security group for the ${local.application_name} service"
		61 |   tags        = local.tags
		62 | 
		63 |   lifecycle {
		64 |     create_before_destroy = true
		65 |   }
		66 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/oasys
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-22 09:47:43,390 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:47:45,417 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:47:48,160 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:47:48,245 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:47:49,348 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:47:49,434 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:47:50,424 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:47:50,508 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:47:51,488 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:47:51,573 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
terraform scan results:

Passed checks: 177, Failed checks: 8, Skipped checks: 24

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/modules/ip_addresses
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39

checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/ses_bounce.tf line 23:
  23: data "archive_file" "lambda_function_payload_bounce_email_notification" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "external" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/waf.tf line 57:
  57: data "external" "shield_waf" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/oasys
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

*****************************

Running tflint in terraform/modules/ip_addresses
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Duplicate key: "ark_dc_external_internet", first defined at terraform/modules/ip_addresses/moj.tf:30,5-29 (terraform_map_duplicate_keys)

  on terraform/modules/ip_addresses/moj.tf line 55:
  55:     ark_dc_external_internet = [

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_map_duplicate_keys.md

tflint_exitcode=4

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running Trivy in terraform/environments/delius-jitbit
2024-11-22T09:47:16Z	INFO	[vulndb] Need to update DB
2024-11-22T09:47:16Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-22T09:47:16Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:47:18Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:47:18Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:47:18Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:47:18Z	INFO	[misconfig] Need to update the built-in checks
2024-11-22T09:47:18Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-22T09:47:19Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:47:19Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:47:19Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:47:20Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:47:20Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-22T09:47:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_egress_rule.load_balancer_egress_rule" value="cty.NilVal"
2024-11-22T09:47:20Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule" value="cty.NilVal"
2024-11-22T09:47:22Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open cluster: no such file or directory"
2024-11-22T09:47:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:47:23Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:47:23Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:23Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:24Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.shield.aws_wafv2_web_acl_association.this" value="cty.NilVal"
2024-11-22T09:47:26Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="iam.tf:150-156"
2024-11-22T09:47:26Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="lb.tf:14"
2024-11-22T09:47:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:47:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:47:26Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-22T09:47:26Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:5-15"
2024-11-22T09:47:26Z	INFO	Number of language-specific files	num=0
2024-11-22T09:47:26Z	INFO	Detected config files	num=14
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/oasys
2024-11-22T09:47:26Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:47:26Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:47:26Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:47:26Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:47:26Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:47:28Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:47:28Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_backup_plan.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_backup_selection.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_group.route53" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_group.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_metric_filter.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_metric_alarm.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_policy.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_role.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_service_linked_role.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_key_pair.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_kms_grant.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_lb_target_group.instance" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_lb_target_group_attachment.instance" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_link.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_sink.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_sink_policy.monitoring_account_oam_sink_policy" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_query_log.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.core_network_services" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.core_vpc" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.self" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_endpoint.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_rule.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_rule_association.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_zone.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_secretsmanager_secret.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_secretsmanager_secret_version.fixed" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group_rule.route53_resolver" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group_rule.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_sns_topic.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_sns_topic_subscription.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_association.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_document.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_parameter.fixed" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_parameter.placeholder" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.assume_role" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.secretsmanager_secret_policy" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.this" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.acm_certificate" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.cloudwatch_dashboard" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.ec2_autoscaling_group" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.ec2_instance" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.efs" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.fsx_windows" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.lb" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.lb_listener" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.s3_bucket" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.random_password.secrets" value="cty.NilVal"
2024-11-22T09:47:28Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.random_password.this" value="cty.NilVal"
2024-11-22T09:47:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:47:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:47:29Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:29Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:30Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:30Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_subnet.this" value="cty.NilVal"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_subnets.this" value="cty.NilVal"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:47:32Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=836db079348a2b40d59bd9cb953111e8ad61aec1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-11-22T09:47:32Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0/main.tf:150-160"
2024-11-22T09:47:32Z	INFO	Number of language-specific files	num=0
2024-11-22T09:47:32Z	INFO	Detected config files	num=3
trivy_exitcode=0

*****************************

Running Trivy in terraform/modules/ip_addresses
2024-11-22T09:47:32Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:47:32Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:47:32Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:47:32Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:47:32Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:47:33Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:47:33Z	INFO	Number of language-specific files	num=0
2024-11-22T09:47:33Z	INFO	Detected config files	num=1
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

Running Trivy in terraform/environments/delius-jitbit
2024-11-22T09:53:48Z INFO [vulndb] Need to update DB
2024-11-22T09:53:48Z INFO [vulndb] Downloading vulnerability DB...
2024-11-22T09:53:48Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:53:50Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:53:50Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:53:50Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:53:50Z INFO [misconfig] Need to update the built-in checks
2024-11-22T09:53:50Z INFO [misconfig] Downloading the built-in checks...
2024-11-22T09:53:50Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 640.839µs, allowed: 44000/minute\n\n"
2024-11-22T09:53:50Z INFO [secret] Secret scanning is enabled
2024-11-22T09:53:50Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:53:50Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:53:51Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:53:51Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-22T09:53:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_egress_rule.load_balancer_egress_rule" value="cty.NilVal"
2024-11-22T09:53:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule" value="cty.NilVal"
2024-11-22T09:53:52Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open cluster: no such file or directory"
2024-11-22T09:53:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:53:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:53:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.shield.aws_wafv2_web_acl_association.this" value="cty.NilVal"
2024-11-22T09:53:55Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:5-15"
2024-11-22T09:53:55Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:53:55Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:53:55Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-22T09:53:55Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:150-156"
2024-11-22T09:53:55Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="lb.tf:9-28"
2024-11-22T09:53:55Z INFO Number of language-specific files num=0
2024-11-22T09:53:55Z INFO Detected config files num=14
trivy_exitcode=0

Running Trivy in terraform/environments/oasys
2024-11-22T09:53:55Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:53:55Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:53:55Z INFO [misconfig] Need to update the built-in checks
2024-11-22T09:53:55Z INFO [misconfig] Downloading the built-in checks...
2024-11-22T09:53:55Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 58.799µs, allowed: 44000/minute\n\n"
2024-11-22T09:53:55Z INFO [secret] Secret scanning is enabled
2024-11-22T09:53:55Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:53:55Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:53:57Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:53:57Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_backup_plan.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_backup_selection.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_group.route53" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_group.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_log_metric_filter.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_cloudwatch_metric_alarm.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_policy.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_role.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_iam_service_linked_role.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_key_pair.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_kms_grant.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_lb_target_group.instance" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_lb_target_group_attachment.instance" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_link.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_sink.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_oam_sink_policy.monitoring_account_oam_sink_policy" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_query_log.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.core_network_services" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.core_vpc" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_record.self" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_endpoint.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_rule.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_resolver_rule_association.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_route53_zone.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_secretsmanager_secret.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_secretsmanager_secret_version.fixed" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group_rule.route53_resolver" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_security_group_rule.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_sns_topic.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_sns_topic_subscription.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_association.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_document.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_parameter.fixed" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.aws_ssm_parameter.placeholder" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.assume_role" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.secretsmanager_secret_policy" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.data.aws_iam_policy_document.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.acm_certificate" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.cloudwatch_dashboard" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.ec2_autoscaling_group" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.ec2_instance" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.efs" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.fsx_windows" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.lb" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.lb_listener" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.s3_bucket" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.random_password.secrets" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.random_password.this" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:57Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_subnet.this" value="cty.NilVal"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.environment.data.aws_subnets.this" value="cty.NilVal"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:58Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:59Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=836db079348a2b40d59bd9cb953111e8ad61aec1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-11-22T09:53:59Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0/main.tf:150-160"
2024-11-22T09:53:59Z INFO Number of language-specific files num=0
2024-11-22T09:53:59Z INFO Detected config files num=3
trivy_exitcode=0

Running Trivy in terraform/modules/ip_addresses
2024-11-22T09:53:59Z INFO [vuln] Vulnerability scanning is enabled
2024-11-22T09:53:59Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-22T09:53:59Z INFO [misconfig] Need to update the built-in checks
2024-11-22T09:53:59Z INFO [misconfig] Downloading the built-in checks...
2024-11-22T09:54:00Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 362.247µs, allowed: 44000/minute\n\n"
2024-11-22T09:54:00Z INFO [secret] Secret scanning is enabled
2024-11-22T09:54:00Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:54:00Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:54:00Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-22T09:54:00Z INFO Number of language-specific files num=0
2024-11-22T09:54:00Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running Checkov in terraform/environments/delius-jitbit
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-22 09:54:03,761 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:54:03,761 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:54:03,761 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:54:03,761 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2024-11-22 09:54:03,761 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 322, Failed checks: 69, Skipped checks: 20

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion_linux.tf:6-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		6  | module "bastion_linux" {
		7  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
		8  | 
		9  |   providers = {
		10 |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		11 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		12 |   }
		13 | 
		14 |   # s3 - used for logs and user ssh public keys
		15 |   bucket_name = "bastion"
		16 |   # public keys
		17 |   public_key_data = local.public_key_data.keys[local.environment]
		18 |   # logs
		19 |   log_auto_clean       = "Enabled"
		20 |   log_standard_ia_days = 30  # days before moving to IA storage
		21 |   log_glacier_days     = 60  # days before moving to Glacier
		22 |   log_expiry_days      = 180 # days before log expiration
		23 |   # bastion
		24 |   allow_ssh_commands = false
		25 | 
		26 |   app_name      = var.networking[0].application
		27 |   business_unit = local.vpc_name
		28 |   subnet_set    = local.subnet_set
		29 |   environment   = local.environment
		30 |   region        = "eu-west-2"
		31 | 
		32 |   # custom scaling schedule
		33 |   autoscaling_cron = {
		34 |     "down" : "0 21 * * *",
		35 |     "up" : "0 05 * * *"
		36 |   }
		37 | 
		38 |   # Tags
		39 |   tags_common = local.tags
		40 |   tags_prefix = terraform.workspace
		41 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit
	File: /ecs.tf:84-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		84 | resource "aws_cloudwatch_log_group" "jitbit" {
		85 |   name              = format("%s-ecs", local.application_name)
		86 |   retention_in_days = 30
		87 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs
	File: /ecs.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "ecs" {
		2 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		3 | 
		4 |   environment = local.environment
		5 |   name        = local.application_name
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment
	File: /ecs.tf:11-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		11 | module "s3_bucket_app_deployment" {
		12 | 
		13 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		14 | 
		15 |   providers = {
		16 |     aws.bucket-replication = aws
		17 |   }
		18 |   bucket_name        = "${local.application_name}-${local.environment}-deployment"
		19 |   versioning_enabled = true
		20 | 
		21 |   ownership_controls = "BucketOwnerEnforced"
		22 | 
		23 |   lifecycle_rule = [
		24 |     {
		25 |       id      = "main"
		26 |       enabled = "Enabled"
		27 |       prefix  = ""
		28 | 
		29 |       tags = {
		30 |         rule      = "log"
		31 |         autoclean = "true"
		32 |       }
		33 | 
		34 |       noncurrent_version_transition = [
		35 |         {
		36 |           days          = 90
		37 |           storage_class = "STANDARD_IA"
		38 |           }, {
		39 |           days          = 365
		40 |           storage_class = "GLACIER"
		41 |         }
		42 |       ]
		43 | 
		44 |       noncurrent_version_expiration = {
		45 |         days = 730
		46 |       }
		47 |     }
		48 |   ]
		49 | 
		50 |   tags = local.tags
		51 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_service_policy
	File: /iam.tf:37-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		37 | data "aws_iam_policy_document" "ecs_service_policy" {
		38 |   statement {
		39 |     effect    = "Allow"
		40 |     resources = ["*"]
		41 | 
		42 |     actions = [
		43 |       "elasticloadbalancing:Describe*",
		44 |       "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		45 |       "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		46 |       "ec2:Describe*",
		47 |       "ec2:AuthorizeSecurityGroupIngress",
		48 |       "elasticloadbalancing:RegisterTargets",
		49 |       "elasticloadbalancing:DeregisterTargets"
		50 |     ]
		51 |   }
		52 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_exec
	File: /iam.tf:98-114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		98  | data "aws_iam_policy_document" "ecs_exec" {
		99  |   statement {
		100 |     effect    = "Allow"
		101 |     resources = ["*"]
		102 | 
		103 |     actions = [
		104 |       "ssm:GetParameters",
		105 |       "ecr:GetAuthorizationToken",
		106 |       "ecr:BatchCheckLayerAvailability",
		107 |       "ecr:GetDownloadUrlForLayer",
		108 |       "ecr:BatchGetImage",
		109 |       "logs:CreateLogGroup",
		110 |       "logs:CreateLogStream",
		111 |       "logs:PutLogEvents"
		112 |     ]
		113 |   }
		114 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group_fargate
	File: /lb.tf:97-127

		97  | resource "aws_lb_target_group" "target_group_fargate" {
		98  |   # checkov:skip=CKV_AWS_261
		99  | 
		100 |   name                 = local.application_name
		101 |   port                 = local.app_port
		102 |   protocol             = "HTTP"
		103 |   vpc_id               = data.aws_vpc.shared.id
		104 |   target_type          = "ip"
		105 |   deregistration_delay = 30
		106 | 
		107 |   stickiness {
		108 |     type = "lb_cookie"
		109 |   }
		110 | 
		111 |   health_check {
		112 |     path                = "/User/Login?ReturnUrl=%2f"
		113 |     healthy_threshold   = "5"
		114 |     interval            = "120"
		115 |     protocol            = "HTTP"
		116 |     unhealthy_threshold = "2"
		117 |     matcher             = "200-499"
		118 |     timeout             = "5"
		119 |   }
		120 | 
		121 |   tags = merge(
		122 |     local.tags,
		123 |     {
		124 |       Name = local.application_name
		125 |     }
		126 |   )
		127 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_alerting
	File: /monitoring.tf:6-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6 | resource "aws_sns_topic" "jitbit_alerting" {
		7 |   name = "jitbit_alerting"
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /monitoring.tf:37-44
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		37 | module "pagerduty_core_alerts" {
		38 |   depends_on = [
		39 |     aws_sns_topic.jitbit_alerting
		40 |   ]
		41 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		42 |   sns_topics                = [aws_sns_topic.jitbit_alerting.name]
		43 |   pagerduty_integration_key = local.pagerduty_integration_key
		44 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.app_logs
	File: /monitoring_app.tf:1-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "app_logs" {
		2 |   name              = "delius-jitbit-ecs"
		3 |   retention_in_days = 30
		4 | 
		5 |   tags = local.tags
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket
	File: /s3.tf:1-84
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.jitbit_sandbox
	File: /sandbox_ecs.tf:92-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		92 | resource "aws_cloudwatch_log_group" "jitbit_sandbox" {
		93 |   count = local.is-development ? 1 : 0
		94 | 
		95 |   name              = format("%s-%s-ecs", local.application_name, "sandbox")
		96 |   retention_in_days = 30
		97 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_sandbox
	File: /sandbox_ecs.tf:1-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "ecs_sandbox" {
		2  |   count = local.is-development ? 1 : 0
		3  | 
		4  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster?ref=v2.0.1"
		5  | 
		6  |   environment = local.environment
		7  |   name        = "${local.application_name}-sandbox"
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_app_deployment_sandbox
	File: /sandbox_ecs.tf:12-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		12 | module "s3_bucket_app_deployment_sandbox" {
		13 |   count = local.is-development ? 1 : 0
		14 | 
		15 |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
		16 | 
		17 |   providers = {
		18 |     aws.bucket-replication = aws
		19 |   }
		20 |   bucket_name        = "${local.application_name}-sandbox-deployment"
		21 |   versioning_enabled = true
		22 | 
		23 |   ownership_controls = "BucketOwnerEnforced"
		24 | 
		25 |   lifecycle_rule = [
		26 |     {
		27 |       id      = "main"
		28 |       enabled = "Enabled"
		29 |       prefix  = ""
		30 | 
		31 |       tags = {
		32 |         rule      = "log"
		33 |         autoclean = "true"
		34 |       }
		35 | 
		36 |       noncurrent_version_transition = [
		37 |         {
		38 |           days          = 90
		39 |           storage_class = "STANDARD_IA"
		40 |           }, {
		41 |           days          = 365
		42 |           storage_class = "GLACIER"
		43 |         }
		44 |       ]
		45 | 
		46 |       noncurrent_version_expiration = {
		47 |         days = 730
		48 |       }
		49 |     }
		50 |   ]
		51 | 
		52 |   tags = local.tags
		53 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.target_group_fargate_sandbox
	File: /sandbox_lb.tf:18-50

		18 | resource "aws_lb_target_group" "target_group_fargate_sandbox" {
		19 |   # checkov:skip=CKV_AWS_261
		20 | 
		21 |   count = local.is-development ? 1 : 0
		22 | 
		23 |   name                 = "${local.application_name}-sandbox"
		24 |   port                 = local.app_port
		25 |   protocol             = "HTTP"
		26 |   vpc_id               = data.aws_vpc.shared.id
		27 |   target_type          = "ip"
		28 |   deregistration_delay = 30
		29 | 
		30 |   stickiness {
		31 |     type = "lb_cookie"
		32 |   }
		33 | 
		34 |   health_check {
		35 |     path                = "/User/Login?ReturnUrl=%2f"
		36 |     healthy_threshold   = "5"
		37 |     interval            = "30"
		38 |     protocol            = "HTTP"
		39 |     unhealthy_threshold = "2"
		40 |     matcher             = "200-499"
		41 |     timeout             = "5"
		42 |   }
		43 | 
		44 |   tags = merge(
		45 |     local.tags,
		46 |     {
		47 |       Name = "${local.application_name}-sandbox"
		48 |     }
		49 |   )
		50 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_211: "Ensure RDS uses a modern CaCert"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-rds-uses-a-modern-cacert

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: jitbit_bucket_sandbox
	File: /sandbox_s3.tf:1-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
	FAILED for resource: aws_iam_user.jitbit_ses_smtp_user
	File: /ses.tf:101-103
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-273

		101 | resource "aws_iam_user" "jitbit_ses_smtp_user" {
		102 |   name = "${local.environment}-jitbit-smtp-user"
		103 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_user_policy.jitbit_ses_smtp_user
	File: /ses.tf:109-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		109 | resource "aws_iam_user_policy" "jitbit_ses_smtp_user" {
		110 |   name = "${local.environment}-jitbit-ses-smtp-user-policy"
		111 |   user = aws_iam_user.jitbit_ses_smtp_user.name
		112 | 
		113 |   policy = jsonencode({
		114 |     Version = "2012-10-17",
		115 |     Statement = [
		116 |       {
		117 |         Effect = "Allow",
		118 |         Action = [
		119 |           "ses:SendRawEmail",
		120 |           "ses:SendEmail"
		121 |         ],
		122 |         Resource = "*"
		123 |       }
		124 |     ]
		125 |   })
		126 | }

Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
	FAILED for resource: aws_ssm_parameter.jitbit_ses_smtp_user
	File: /ses.tf:128-138
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-337

		128 | resource "aws_ssm_parameter" "jitbit_ses_smtp_user" {
		129 |   name = "/${local.environment}/jitbit/ses_smtp"
		130 |   type = "SecureString"
		131 |   value = jsonencode({
		132 |     user              = aws_iam_user.jitbit_ses_smtp_user.name,
		133 |     key               = aws_iam_access_key.jitbit_ses_smtp_user.id,
		134 |     secret            = aws_iam_access_key.jitbit_ses_smtp_user.secret
		135 |     ses_smtp_user     = aws_iam_access_key.jitbit_ses_smtp_user.id
		136 |     ses_smtp_password = aws_iam_access_key.jitbit_ses_smtp_user.ses_smtp_password_v4
		137 |   })
		138 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic_bounce_email_notification
	File: /ses_bounce.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		1 | resource "aws_sns_topic" "jitbit_ses_destination_topic_bounce_email_notification" {
		2 |   name = format("%s-ses-destination-topic-bounce-email-notification", local.application_name)
		3 | 
		4 |   tags = local.tags
		5 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.bounce_email_notification
	File: /ses_bounce.tf:30-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		30 | resource "aws_lambda_function" "bounce_email_notification" {
		31 |   filename         = "${path.module}/lambda/bounce_email_notification/bounce_email_notification.zip"
		32 |   function_name    = "bounce_email_notification"
		33 |   architectures    = ["arm64"]
		34 |   role             = aws_iam_role.lambda_bounce_email_notification.arn
		35 |   runtime          = "python3.12"
		36 |   handler          = "bounce_email_notification.handler"
		37 |   source_code_hash = data.archive_file.lambda_function_payload_bounce_email_notification.output_base64sha256
		38 | 
		39 |   timeout = 6
		40 | 
		41 |   environment {
		42 |     variables = {
		43 |       RATE_LIMIT     = 5
		44 |       DYNAMODB_TABLE = aws_dynamodb_table.bounce_email_notification.name
		45 |       FROM_ADDRESS   = "notifications@${aws_sesv2_email_identity.jitbit.email_identity}"
		46 |     }
		47 |   }
		48 | 
		49 |   lifecycle {
		50 |     replace_triggered_by = [aws_iam_role.lambda_bounce_email_notification]
		51 |   }
		52 | 
		53 |   tags = local.tags
		54 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.bounce_email_notification
	File: /ses_bounce.tf:118-123
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		118 | resource "aws_cloudwatch_log_group" "bounce_email_notification" {
		119 |   name              = "/aws/lambda/bounce_email_notification"
		120 |   retention_in_days = 3
		121 | 
		122 |   tags = local.tags
		123 | }

Check: CKV_AWS_28: "Ensure DynamoDB point in time recovery (backup) is enabled"
	FAILED for resource: aws_dynamodb_table.bounce_email_notification
	File: /ses_bounce.tf:126-147
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-6

		126 | resource "aws_dynamodb_table" "bounce_email_notification" {
		127 |   name         = "bounce_email_notification"
		128 |   billing_mode = "PAY_PER_REQUEST"
		129 |   hash_key     = "email_ticket_id"
		130 | 
		131 |   server_side_encryption {
		132 |     enabled     = true
		133 |     kms_key_arn = data.aws_kms_key.general_shared.arn
		134 |   }
		135 | 
		136 |   ttl {
		137 |     attribute_name = "expireAt"
		138 |     enabled        = true
		139 |   }
		140 | 
		141 |   attribute {
		142 |     name = "email_ticket_id"
		143 |     type = "S"
		144 |   }
		145 | 
		146 |   tags = local.tags
		147 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.lambda_policy_bounce_email_notification
	File: /ses_bounce.tf:69-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		69  | data "aws_iam_policy_document" "lambda_policy_bounce_email_notification" {
		70  |   statement {
		71  |     actions = [
		72  |       "ses:SendRawEmail",
		73  |       "ses:SendEmail"
		74  |     ]
		75  |     resources = ["*"]
		76  |   }
		77  | 
		78  |   statement {
		79  |     actions = [
		80  |       "logs:CreateLogGroup",
		81  |       "logs:CreateLogStream",
		82  |       "logs:PutLogEvents"
		83  |     ]
		84  |     resources = ["arn:aws:logs:*:*:*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     actions = [
		89  |       "dynamodb:PutItem",
		90  |       "dynamodb:GetItem",
		91  |       "dynamodb:Query"
		92  |     ]
		93  |     resources = [aws_dynamodb_table.bounce_email_notification.arn]
		94  |   }
		95  | 
		96  |   statement {
		97  |     actions = [
		98  |       "kms:Decrypt"
		99  |     ]
		100 |     resources = [data.aws_kms_key.general_shared.arn]
		101 |   }
		102 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.jitbit_ses_destination_topic
	File: /ses_logging.tf:4-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		4 | resource "aws_sns_topic" "jitbit_ses_destination_topic" {
		5 |   name = format("%s-ses-destination-topic", local.application_name)
		6 | 
		7 |   tags = local.tags
		8 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.sns_to_cloudwatch
	File: /ses_logging.tf:37-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		37 | resource "aws_lambda_function" "sns_to_cloudwatch" {
		38 |   filename         = "${path.module}/lambda/sns_to_cloudwatch/sns_to_cloudwatch.zip"
		39 |   function_name    = "sns_to_cloudwatch"
		40 |   architectures    = ["arm64"]
		41 |   role             = aws_iam_role.lambda_logging.arn
		42 |   runtime          = "python3.12"
		43 |   handler          = "sns_to_cloudwatch.handler"
		44 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		45 | 
		46 |   environment {
		47 |     variables = {
		48 |       LOG_GROUP_NAME = aws_cloudwatch_log_group.sns_logs.name
		49 |     }
		50 |   }
		51 | 
		52 |   lifecycle {
		53 |     replace_triggered_by = [aws_iam_role.lambda_logging]
		54 |   }
		55 | 
		56 |   tags = local.tags
		57 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.sns_logs
	File: /ses_logging.tf:59-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		59 | resource "aws_cloudwatch_log_group" "sns_logs" {
		60 |   name              = format("%s-ses-logs", local.application_name)
		61 |   retention_in_days = local.application_data.accounts[local.environment].ses_log_retention_days
		62 | 
		63 |   tags = local.tags
		64 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.execution_logs
	File: /ses_logging.tf:66-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		66 | resource "aws_cloudwatch_log_group" "execution_logs" {
		67 |   name              = format("/aws/lambda/%s", aws_lambda_function.sns_to_cloudwatch.function_name)
		68 |   retention_in_days = 3
		69 | 
		70 |   tags = local.tags
		71 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.shield.aws_cloudwatch_log_group.waf[0]
	File: /../../modules/shield_advanced/shield.tf:94-98
	Calling File: /waf.tf:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		94 | resource "aws_cloudwatch_log_group" "waf" {
		95 |   count             = var.enable_logging ? 1 : 0
		96 |   name              = "aws-waf-logs-${data.external.shield_waf.result["name"]}"
		97 |   retention_in_days = var.log_retention_in_days
		98 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.shield.aws_cloudwatch_log_group.waf[0]
	File: /../../modules/shield_advanced/shield.tf:94-98
	Calling File: /waf.tf:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		94 | resource "aws_cloudwatch_log_group" "waf" {
		95 |   count             = var.enable_logging ? 1 : 0
		96 |   name              = "aws-waf-logs-${data.external.shield_waf.result["name"]}"
		97 |   retention_in_days = var.log_retention_in_days
		98 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string_sandbox
	File: /sandbox_secrets.tf:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2  | resource "aws_secretsmanager_secret" "db_app_connection_string_sandbox" {
		3  |   count = local.is-development ? 1 : 0
		4  |   #checkov:skip=CKV_AWS_149
		5  |   name                    = "${var.networking[0].application}-app-connection-string-sandbox"
		6  |   recovery_window_in_days = 0
		7  |   tags = merge(
		8  |     local.tags,
		9  |     {
		10 |       Name = "${var.networking[0].application}-app-connection-string-sandbox"
		11 |     },
		12 |   )
		13 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_app_connection_string
	File: /secrets.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		5  | resource "aws_secretsmanager_secret" "db_app_connection_string" {
		6  |   #checkov:skip=CKV_AWS_149
		7  |   name                    = "${var.networking[0].application}-app-connection-string"
		8  |   recovery_window_in_days = 0
		9  |   tags = merge(
		10 |     local.tags,
		11 |     {
		12 |       Name = "${var.networking[0].application}-app-connection-string"
		13 |     },
		14 |   )
		15 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.app_url
	File: /ssm.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		2 | resource "aws_ssm_parameter" "app_url" {
		3 |   name  = "/${var.networking[0].application}/environment/app-url"
		4 |   type  = "String"
		5 |   value = "https://${local.app_url}/"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit
	File: /rds.tf:43-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		43 | resource "aws_db_instance" "jitbit" {
		44 |   engine         = "sqlserver-se"
		45 |   license_model  = "license-included"
		46 |   engine_version = local.application_data.accounts[local.environment].db_engine_version
		47 |   instance_class = local.application_data.accounts[local.environment].db_instance_class
		48 |   identifier     = "${local.application_name}-${local.environment}-database"
		49 |   username       = local.application_data.accounts[local.environment].db_user
		50 | 
		51 |   apply_immediately = false
		52 | 
		53 |   manage_master_user_password = true
		54 | 
		55 |   snapshot_identifier = try(local.application_data.accounts[local.environment].db_snapshot_identifier, null)
		56 | 
		57 |   # tflint-ignore: aws_db_instance_default_parameter_group
		58 |   parameter_group_name        = "default.sqlserver-se-15.0"
		59 |   ca_cert_identifier          = local.application_data.accounts[local.environment].db_ca_cert_identifier
		60 |   deletion_protection         = local.application_data.accounts[local.environment].db_deletion_protection
		61 |   delete_automated_backups    = local.application_data.accounts[local.environment].db_delete_automated_backups
		62 |   skip_final_snapshot         = local.skip_final_snapshot
		63 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-${local.environment}-database-final-snapshot" : null
		64 |   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
		65 |   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
		66 |   storage_type                = local.application_data.accounts[local.environment].db_storage_type
		67 |   maintenance_window          = local.application_data.accounts[local.environment].db_maintenance_window
		68 |   auto_minor_version_upgrade  = local.application_data.accounts[local.environment].db_auto_minor_version_upgrade
		69 |   allow_major_version_upgrade = local.application_data.accounts[local.environment].db_allow_major_version_upgrade
		70 |   backup_window               = local.application_data.accounts[local.environment].db_backup_window
		71 |   backup_retention_period     = local.application_data.accounts[local.environment].db_retention_period
		72 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		73 |   iam_database_authentication_enabled = local.application_data.accounts[local.environment].db_iam_database_authentication_enabled
		74 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		75 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		76 |   vpc_security_group_ids = [aws_security_group.database_security_group.id]
		77 |   multi_az               = local.application_data.accounts[local.environment].db_multi_az
		78 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		79 |   monitoring_interval = local.application_data.accounts[local.environment].db_monitoring_interval
		80 |   monitoring_role_arn = local.application_data.accounts[local.environment].db_monitoring_interval == 0 ? "" : aws_iam_role.rds_enhanced_monitoring[0].arn
		81 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		82 |   storage_encrypted               = true
		83 |   performance_insights_enabled    = local.application_data.accounts[local.environment].db_performance_insights_enabled
		84 |   performance_insights_kms_key_id = "" #tfsec:ignore:aws-rds-enable-performance-insights-encryption Left empty so that it will run, however should be populated with real key in scenario.
		85 |   enabled_cloudwatch_logs_exports = local.application_data.accounts[local.environment].db_enabled_cloudwatch_logs_exports
		86 |   tags = merge(local.tags,
		87 |     { Name = lower(format("%s-%s-database", local.application_name, local.environment)) }
		88 |   )
		89 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.jitbit_sandbox
	File: /sandbox_rds.tf:27-71
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		27 | resource "aws_db_instance" "jitbit_sandbox" {
		28 |   count = local.is-development ? 1 : 0
		29 | 
		30 |   engine         = "sqlserver-se"
		31 |   license_model  = "license-included"
		32 |   engine_version = local.application_data.accounts["sandbox"].db_engine_version
		33 |   instance_class = local.application_data.accounts["sandbox"].db_instance_class
		34 |   identifier     = "${local.application_name}-sandbox-database"
		35 |   username       = local.application_data.accounts["sandbox"].db_user
		36 | 
		37 |   manage_master_user_password = true
		38 | 
		39 |   snapshot_identifier = try(local.application_data.accounts["sandbox"].db_snapshot_identifier, null)
		40 | 
		41 |   # tflint-ignore: aws_db_instance_default_parameter_group
		42 |   parameter_group_name        = "default.sqlserver-se-15.0"
		43 |   ca_cert_identifier          = local.application_data.accounts["sandbox"].db_ca_cert_identifier
		44 |   deletion_protection         = local.application_data.accounts["sandbox"].db_deletion_protection
		45 |   delete_automated_backups    = local.application_data.accounts["sandbox"].db_delete_automated_backups
		46 |   skip_final_snapshot         = local.application_data.accounts["sandbox"].db_skip_final_snapshot
		47 |   final_snapshot_identifier   = !local.skip_final_snapshot ? "${local.application_name}-sandbox-database-final-snapshot" : null
		48 |   allocated_storage           = local.application_data.accounts["sandbox"].db_allocated_storage
		49 |   max_allocated_storage       = local.application_data.accounts["sandbox"].db_max_allocated_storage
		50 |   storage_type                = local.application_data.accounts["sandbox"].db_storage_type
		51 |   maintenance_window          = local.application_data.accounts["sandbox"].db_maintenance_window
		52 |   auto_minor_version_upgrade  = local.application_data.accounts["sandbox"].db_auto_minor_version_upgrade
		53 |   allow_major_version_upgrade = local.application_data.accounts["sandbox"].db_allow_major_version_upgrade
		54 |   backup_window               = local.application_data.accounts["sandbox"].db_backup_window
		55 |   backup_retention_period     = local.application_data.accounts["sandbox"].db_retention_period
		56 |   #checkov:skip=CKV_AWS_133: "backup_retention enabled, can be edited it application_variables.json"
		57 |   iam_database_authentication_enabled = local.application_data.accounts["sandbox"].db_iam_database_authentication_enabled
		58 |   #checkov:skip=CKV_AWS_161: "iam auth enabled, but optional"
		59 |   db_subnet_group_name   = aws_db_subnet_group.jitbit.id
		60 |   vpc_security_group_ids = [aws_security_group.database_security_group_sandbox[0].id]
		61 |   multi_az               = local.application_data.accounts["sandbox"].db_multi_az
		62 |   #checkov:skip=CKV_AWS_157: "multi-az enabled, but optional"
		63 |   storage_encrypted = true
		64 | 
		65 |   tags = merge(
		66 |     local.tags,
		67 |     {
		68 |       Name = lower(format("%s-%s-database", local.application_name, "sandbox"))
		69 |     }
		70 |   )
		71 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit
	File: /ecs.tf:53-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		53 | resource "aws_security_group" "jitbit" {
		54 |   vpc_id      = data.aws_vpc.shared.id
		55 |   name        = format("hmpps-%s-%s-service", local.environment, local.application_name)
		56 |   description = "Security group for the ${local.application_name} service"
		57 |   tags        = local.tags
		58 | 
		59 |   lifecycle {
		60 |     create_before_destroy = true
		61 |   }
		62 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.jitbit_sandbox
	File: /sandbox_ecs.tf:55-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		55 | resource "aws_security_group" "jitbit_sandbox" {
		56 |   count = local.is-development ? 1 : 0
		57 | 
		58 |   vpc_id      = data.aws_vpc.shared.id
		59 |   name        = format("hmpps-%s-%s-service", "sandbox", local.application_name)
		60 |   description = "Security group for the ${local.application_name} service"
		61 |   tags        = local.tags
		62 | 
		63 |   lifecycle {
		64 |     create_before_destroy = true
		65 |   }
		66 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/oasys
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-22 09:54:12,812 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:54:12,889 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:54:16,542 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:54:16,564 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:54:17,799 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:54:17,820 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:54:18,905 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:54:18,928 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
2024-11-22 09:54:20,020 [MainThread  ] [WARNI]  Failed updating attribute for key: secretsmanager_secrets./ec2/.ssh and value {'recovery_window_in_days': 7} forvertex attributes {'secretsmanager_secrets': {'/ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}}, 'secretsmanager_secrets./ec2/.ssh': {'recovery_window_in_days': 7, 'secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}}, 'secretsmanager_secrets./ec2/.ssh.recovery_window_in_days': 7, 'secretsmanager_secrets./ec2/.ssh.secrets': {'ec2-user': {'description': 'Private key for ec2-user key pair'}}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user': {'description': 'Private key for ec2-user key pair'}, 'secretsmanager_secrets./ec2/.ssh.secrets.ec2-user.description': 'Private key for ec2-user key pair'}. Falling back to explicitly setting it.Exception - Parse error at 1:24 near token / (SORT_DIRECTION)
2024-11-22 09:54:20,042 [MainThread  ] [WARNI]  Failed updating attribute for key: ssm_parameters./oam and value {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'} forvertex attributes {'ssm_parameters': {'/azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, '/oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}}, 'ssm_parameters./azure': {'parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}}, 'ssm_parameters./azure.parameters': {'sas_token': {'description': 'database backup storage account read-only sas token'}}, 'ssm_parameters./azure.parameters.sas_token': {'description': 'database backup storage account read-only sas token'}, 'ssm_parameters./azure.parameters.sas_token.description': 'database backup storage account read-only sas token', 'ssm_parameters./oam': {'parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}'}, 'ssm_parameters./oam.parameters': '{for oam_link in coalesce(${merge({\'cloudwatch_dashboard_default_widget_groups\': [\'ec2\', \'ec2_autoscaling_group_linux\', \'ec2_instance_linux\', \'ec2_instance_oracle_db_with_backup\', \'ec2_instance_textfile_monitoring\', \'ec2_linux\', \'lb\'], \'cloudwatch_metric_alarms_default_actions\': \'pagerduty\', \'cloudwatch_metric_oam_links\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'cloudwatch_metric_oam_links_ssm_parameters\': \'hmpps-oem-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'db_backup_more_permissions\': True, \'enable_backup_plan_daily_and_weekly\': True, \'enable_business_unit_kms_cmks\': True, \'enable_ec2_cloud_watch_agent\': True, \'enable_ec2_oracle_enterprise_managed_server\': True, \'enable_ec2_self_provision\': True, \'enable_ec2_session_manager_cloudwatch_logs\': True, \'enable_ec2_ssm_agent_update\': True, \'enable_ec2_user_keypair\': True, \'enable_image_builder\': True, \'enable_s3_bucket\': True, \'enable_s3_db_backup_bucket\': True, \'enable_s3_shared_bucket\': True, \'enable_vmimport\': True, \'s3_bucket_name\': \'oasys-${trimprefix(terraform.workspace,"${var.networking[0].application}-")}\', \'s3_iam_policies\': \'EC2S3BucketWriteAndDeleteAccessPolicy\'},[])},[]) : oam_link :> {\'description\': \'oam sink_identifier to use in aws_oam_link resource\'}}', 'ssm_parameters.account': {'parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'postfix': '_'}, 'ssm_parameters.account.parameters': {'ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}}, 'ssm_parameters.account.parameters.ids': {'description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})'}, 'ssm_parameters.account.parameters.ids.description': 'Selected modernisation platform AWS account IDs managed by baseline module', 'ssm_parameters.account.parameters.ids.value': 'jsonencode({for key , value in ${module.environment} : key :> value if contains(local.account_names_for_account_ids_ssm_parameter,key)})', 'ssm_parameters.account.postfix': '_', 'ssm_parameters.cloud-watch-config': {'parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'postfix': '-'}, 'ssm_parameters.cloud-watch-config.parameters': {'windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}}, 'ssm_parameters.cloud-watch-config.parameters.windows': {'description': 'cloud watch agent config for windows managed by baseline module', 'file': './templates/cloud_watch_windows.json', 'type': 'String'}, 'ssm_parameters.cloud-watch-config.parameters.windows.description': 'cloud watch agent config for windows managed by baseline module', 'ssm_parameters.cloud-watch-config.parameters.windows.file': './templates/cloud_watch_windows.json', 'ssm_parameters.cloud-watch-config.parameters.windows.type': 'String', 'ssm_parameters.cloud-watch-config.postfix': '-'}. Falling back to explicitly setting it.Exception - Parse error at 1:16 near token / (SORT_DIRECTION)
terraform scan results:

Passed checks: 177, Failed checks: 8, Skipped checks: 24

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda.aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/modules/ip_addresses
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39

checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running tflint in terraform/environments/delius-jitbit
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/ses_bounce.tf line 23:
  23: data "archive_file" "lambda_function_payload_bounce_email_notification" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "external" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-jitbit/waf.tf line 57:
  57: data "external" "shield_waf" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/oasys
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=2

*****************************

Running tflint in terraform/modules/ip_addresses
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Duplicate key: "ark_dc_external_internet", first defined at terraform/modules/ip_addresses/moj.tf:30,5-29 (terraform_map_duplicate_keys)

  on terraform/modules/ip_addresses/moj.tf line 55:
  55:     ark_dc_external_internet = [

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_map_duplicate_keys.md

tflint_exitcode=4

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/delius-jitbit
terraform/environments/oasys
terraform/modules/ip_addresses

*****************************

Running Trivy in terraform/environments/delius-jitbit
2024-11-22T09:53:48Z	INFO	[vulndb] Need to update DB
2024-11-22T09:53:48Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-22T09:53:48Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:53:50Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-22T09:53:50Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:53:50Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:53:50Z	INFO	[misconfig] Need to update the built-in checks
2024-11-22T09:53:50Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-22T09:53:50Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 640.839µs, allowed: 44000/minute\n\n"
2024-11-22T09:53:50Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:53:50Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:53:50Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:53:51Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:53:51Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-22T09:53:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_egress_rule.load_balancer_egress_rule" value="cty.NilVal"
2024-11-22T09:53:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_vpc_security_group_ingress_rule.load_balancer_ingress_rule" value="cty.NilVal"
2024-11-22T09:53:52Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open cluster: no such file or directory"
2024-11-22T09:53:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:53:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:53:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.shield.aws_wafv2_web_acl_association.this" value="cty.NilVal"
2024-11-22T09:53:55Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:5-15"
2024-11-22T09:53:55Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:53:55Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2024-11-22T09:53:55Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-22T09:53:55Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="iam.tf:150-156"
2024-11-22T09:53:55Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="lb.tf:9-28"
2024-11-22T09:53:55Z	INFO	Number of language-specific files	num=0
2024-11-22T09:53:55Z	INFO	Detected config files	num=14
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/oasys
2024-11-22T09:53:55Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:53:55Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:53:55Z	INFO	[misconfig] Need to update the built-in checks
2024-11-22T09:53:55Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-22T09:53:55Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 58.799µs, allowed: 44000/minute\n\n"
2024-11-22T09:53:55Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:53:55Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:53:55Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:53:57Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:53:57Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_backup_plan.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_backup_selection.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_group.route53" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_group.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_log_metric_filter.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_cloudwatch_metric_alarm.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_policy.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_role.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_role_policy_attachment.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_iam_service_linked_role.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_key_pair.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_kms_grant.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_lb_target_group.instance" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_lb_target_group_attachment.instance" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_link.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_sink.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_oam_sink_policy.monitoring_account_oam_sink_policy" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_query_log.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.core_network_services" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.core_vpc" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_record.self" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_endpoint.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_rule.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_resolver_rule_association.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_route53_zone.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_secretsmanager_secret.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_secretsmanager_secret_version.fixed" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group_rule.route53_resolver" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_security_group_rule.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_sns_topic.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_sns_topic_subscription.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_association.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_document.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_parameter.fixed" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.aws_ssm_parameter.placeholder" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.assume_role" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.secretsmanager_secret_policy" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.data.aws_iam_policy_document.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.acm_certificate" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.cloudwatch_dashboard" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.ec2_autoscaling_group" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.ec2_instance" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.efs" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.fsx_windows" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.lb" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.lb_listener" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.s3_bucket" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.random_password.secrets" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.random_password.this" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:57Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_route53_zone.core_network_services" value="cty.NilVal"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_route53_zone.core_vpc" value="cty.NilVal"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_subnet.this" value="cty.NilVal"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.environment.data.aws_subnets.this" value="cty.NilVal"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.baseline.module.bastion_linux[0].data.aws_subnet.local_account" value="cty.NilVal"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:58Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.baseline.module.bastion_linux[0].module.s3-bucket.aws_s3_bucket_lifecycle_configuration.default" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_lifecycle_configuration.default.dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-22T09:53:59Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=836db079348a2b40d59bd9cb953111e8ad61aec1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=7b2b75c178f855d8c48d3bda4ac53df782288c02/main.tf:141-151"
2024-11-22T09:53:59Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.1.0/main.tf:150-160"
2024-11-22T09:53:59Z	INFO	Number of language-specific files	num=0
2024-11-22T09:53:59Z	INFO	Detected config files	num=3
trivy_exitcode=0

*****************************

Running Trivy in terraform/modules/ip_addresses
2024-11-22T09:53:59Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-22T09:53:59Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-22T09:53:59Z	INFO	[misconfig] Need to update the built-in checks
2024-11-22T09:53:59Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-22T09:54:00Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 362.247µs, allowed: 44000/minute\n\n"
2024-11-22T09:54:00Z	INFO	[secret] Secret scanning is enabled
2024-11-22T09:54:00Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-22T09:54:00Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-22T09:54:00Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-22T09:54:00Z	INFO	Number of language-specific files	num=0
2024-11-22T09:54:00Z	INFO	Detected config files	num=1
trivy_exitcode=0

@modernisation-platform-ci
Copy link
Contributor

@drobinson-moj Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

modernisation-platform-ci
modernisation-platform-ci requested changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@drobinson-moj Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

modernisation-platform-ci
modernisation-platform-ci requested changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

modernisation-platform-ci
modernisation-platform-ci requested changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@drobinson-moj Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

modernisation-platform-ci
modernisation-platform-ci previously requested changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@modernisation-platform-ci modernisation-platform-ci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform plan evaluation detected changes to resources that require approval from @ministryofjustice/modernsation-platform - please contact #ask-modernisation-platform for assistance

@modernisation-platform-ci
Copy link
Contributor

@drobinson-moj Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

mikereiddigital
mikereiddigital approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@mikereiddigital mikereiddigital left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lg2m

@drobinson-moj drobinson-moj merged commit aa24d2d into main Nov 22, 2024
21 of 26 checks passed
@drobinson-moj drobinson-moj deleted the oasys/INC2742748/ip-allow-list-update branch November 22, 2024 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikereiddigital mikereiddigital mikereiddigital approved these changes

@wullub wullub wullub approved these changes

@modernisation-platform-ci modernisation-platform-ci modernisation-platform-ci left review comments

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@drobinson-moj @modernisation-platform-ci @wullub @mikereiddigital