Update 271124 7 #8830

nbuckingham72 · 2024-11-27T13:44:43Z

Adding secure string ssm parameter.

github-actions · 2024-11-27T13:47:00Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/ppud

Running Trivy in terraform/environments/ppud
2024-11-27T13:46:46Z INFO [vulndb] Need to update DB
2024-11-27T13:46:46Z INFO [vulndb] Downloading vulnerability DB...
2024-11-27T13:46:46Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-27T13:46:48Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-27T13:46:48Z INFO [vuln] Vulnerability scanning is enabled
2024-11-27T13:46:48Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-27T13:46:48Z INFO [misconfig] Need to update the built-in checks
2024-11-27T13:46:48Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-27T13:46:49Z INFO [secret] Secret scanning is enabled
2024-11-27T13:46:49Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-27T13:46:49Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-27T13:46:50Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-27T13:46:50Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_behavior_detected" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_engine_out_of_date" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_engine_update_failed" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_scan_failed" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_signature_update_failed" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_state_detected" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.linux_instance_details" value="cty.NilVal"
2024-11-27T13:46:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.windows_instance_details" value="cty.NilVal"
2024-11-27T13:46:51Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:119-132"
2024-11-27T13:46:51Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:119-132"
2024-11-27T13:46:51Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="alb_external.tf:92"
2024-11-27T13:46:51Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:925-932"
2024-11-27T13:46:51Z INFO Number of language-specific files num=0
2024-11-27T13:46:51Z INFO Detected config files num=6
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ppud

*****************************

Running Checkov in terraform/environments/ppud
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 1087, Failed checks: 9, Skipped checks: 156

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.WAM-ALB
	File: /alb_external.tf:88-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		88  | resource "aws_lb" "WAM-ALB" {
		89  |   # checkov:skip=CKV2_AWS_28: "ALB is already protected by WAF"
		90  |   # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required"
		91  |   name               = local.application_data.accounts[local.environment].WAM_ALB
		92  |   internal           = false
		93  |   load_balancer_type = "application"
		94  |   security_groups    = [aws_security_group.WAM-ALB.id]
		95  |   subnets            = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id]
		96  |   #  access_logs {
		97  |   #    bucket  = aws_s3_bucket.moj-log-files-dev[0].id
		98  |   #    prefix  = "alb-logs"
		99  |   #    enabled = true
		100 |   #  }
		101 | 
		102 |   enable_deletion_protection = true
		103 |   drop_invalid_header_fields = true
		104 | 
		105 |   tags = {
		106 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		107 |   }
		108 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.WAM-Target-Group-Preprod
	File: /alb_external.tf:221-242

		221 | resource "aws_lb_target_group" "WAM-Target-Group-Preprod" {
		222 |   count    = local.is-preproduction == true ? 1 : 0
		223 |   name     = "WAM-Preprod"
		224 |   port     = 80
		225 |   protocol = "HTTP"
		226 |   vpc_id   = data.aws_vpc.shared.id
		227 | 
		228 |   health_check {
		229 |     enabled             = true
		230 |     path                = "/"
		231 |     interval            = 30
		232 |     protocol            = "HTTP"
		233 |     port                = 80
		234 |     timeout             = 5
		235 |     healthy_threshold   = 5
		236 |     unhealthy_threshold = 2
		237 |     matcher             = "302"
		238 |   }
		239 |   tags = {
		240 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		241 |   }
		242 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.WAM-Target-Group-Prod
	File: /alb_external.tf:244-265

		244 | resource "aws_lb_target_group" "WAM-Target-Group-Prod" {
		245 |   count    = local.is-production == true ? 1 : 0
		246 |   name     = "WAM-Prod"
		247 |   port     = 80
		248 |   protocol = "HTTP"
		249 |   vpc_id   = data.aws_vpc.shared.id
		250 | 
		251 |   health_check {
		252 |     enabled             = true
		253 |     path                = "/"
		254 |     interval            = 30
		255 |     protocol            = "HTTP"
		256 |     port                = 80
		257 |     timeout             = 5
		258 |     healthy_threshold   = 5
		259 |     unhealthy_threshold = 2
		260 |     matcher             = "302"
		261 |   }
		262 |   tags = {
		263 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		264 |   }
		265 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.PPUD-internal-ALB
	File: /alb_internal.tf:5-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		5  | resource "aws_lb" "PPUD-internal-ALB" {
		6  |   # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required"
		7  |   count              = local.is-development == false ? 1 : 0
		8  |   name               = local.application_data.accounts[local.environment].PPUD_Internal_ALB
		9  |   internal           = true
		10 |   idle_timeout       = 240
		11 |   load_balancer_type = "application"
		12 |   security_groups    = [aws_security_group.PPUD-ALB.id]
		13 |   subnets            = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
		14 |   #  access_logs {
		15 |   #    bucket  = aws_s3_bucket.moj-log-files-uat[0].id
		16 |   #    prefix  = "alb-logs"
		17 |   #    enabled = true
		18 |   #  }
		19 | 
		20 |   enable_deletion_protection = true
		21 |   drop_invalid_header_fields = true
		22 | 
		23 |   tags = {
		24 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		25 |   }
		26 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ppud_internal_nlb
	File: /endpointservice.tf:17-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		17 | resource "aws_lb" "ppud_internal_nlb" {
		18 |   # checkov:skip=CKV2_AWS_28: "ALB is already protected by WAF"
		19 |   # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required"
		20 |   count                      = local.is-production == true ? 1 : 0
		21 |   name                       = "ppud-internal-nlb"
		22 |   internal                   = true
		23 |   load_balancer_type         = "network"
		24 |   subnets                    = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
		25 |   security_groups            = [aws_security_group.PPUD-ALB.id]
		26 |   enable_deletion_protection = true
		27 |   #access_logs {
		28 |   # bucket  = aws_s3_bucket.moj-log-files-prod[0].id
		29 |   # prefix  = "alb-logs"
		30 |   # enabled = true
		31 |   #}
		32 | 
		33 |   tags = {
		34 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		35 |   }
		36 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_graph_dev
	File: /lambda.tf:498-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		498 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_graph_dev" {
		499 |   # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
		500 |   count                          = local.is-development == true ? 1 : 0
		501 |   filename                       = "${path.module}/lambda_scripts/send_cpu_graph_dev.zip"
		502 |   function_name                  = "send_cpu_graph"
		503 |   role                           = aws_iam_role.lambda_role_cloudwatch_get_metric_data_dev[0].arn
		504 |   handler                        = "send_cpu_graph_dev.lambda_handler"
		505 |   runtime                        = "python3.12"
		506 |   timeout                        = 300
		507 |   depends_on                     = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_get_metric_data_to_lambda_role_cloudwatch_get_metric_data_dev]
		508 |   reserved_concurrent_executions = 5
		509 |  # code_signing_config_arn        = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f"
		510 |  # dead_letter_config {
		511 |  #   target_arn = aws_sqs_queue.lambda_queue_dev[0].arn
		512 |  # }
		513 |   tracing_config {
		514 |     mode = "Active"
		515 |   }
		516 |    layers = [
		517 |     "arn:aws:lambda:eu-west-2:770693421928:layer:Klayers-p312-numpy:8", #Publically available ARN for numpy package
		518 |     "arn:aws:lambda:eu-west-2:770693421928:layer:Klayers-p312-pillow:1" #Publically available ARN for pillow package
		519 | #   "arn:aws:lambda:eu-west-2:${data.aws_ssm_parameter.klayers_account.value}:layer:Klayers-p312-numpy:8",
		520 | #   "arn:aws:lambda:eu-west-2:${data.aws_ssm_parameter.klayers_account.value}:layer:Klayers-p312-pillow:1" 
		521 |   ]
		522 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_graph_dev
	File: /lambda.tf:498-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		498 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_graph_dev" {
		499 |   # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
		500 |   count                          = local.is-development == true ? 1 : 0
		501 |   filename                       = "${path.module}/lambda_scripts/send_cpu_graph_dev.zip"
		502 |   function_name                  = "send_cpu_graph"
		503 |   role                           = aws_iam_role.lambda_role_cloudwatch_get_metric_data_dev[0].arn
		504 |   handler                        = "send_cpu_graph_dev.lambda_handler"
		505 |   runtime                        = "python3.12"
		506 |   timeout                        = 300
		507 |   depends_on                     = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_get_metric_data_to_lambda_role_cloudwatch_get_metric_data_dev]
		508 |   reserved_concurrent_executions = 5
		509 |  # code_signing_config_arn        = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f"
		510 |  # dead_letter_config {
		511 |  #   target_arn = aws_sqs_queue.lambda_queue_dev[0].arn
		512 |  # }
		513 |   tracing_config {
		514 |     mode = "Active"
		515 |   }
		516 |    layers = [
		517 |     "arn:aws:lambda:eu-west-2:770693421928:layer:Klayers-p312-numpy:8", #Publically available ARN for numpy package
		518 |     "arn:aws:lambda:eu-west-2:770693421928:layer:Klayers-p312-pillow:1" #Publically available ARN for pillow package
		519 | #   "arn:aws:lambda:eu-west-2:${data.aws_ssm_parameter.klayers_account.value}:layer:Klayers-p312-numpy:8",
		520 | #   "arn:aws:lambda:eu-west-2:${data.aws_ssm_parameter.klayers_account.value}:layer:Klayers-p312-pillow:1" 
		521 |   ]
		522 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.Live-DOC-Server
	File: /security_group.tf:419-428
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		419 | resource "aws_security_group" "Live-DOC-Server" {
		420 |   count       = local.is-preproduction == false ? 1 : 0
		421 |   vpc_id      = data.aws_vpc.shared.id
		422 |   name        = "Live-DOC-Server"
		423 |   description = "Live-DOC-Server for DEV & PROD"
		424 | 
		425 |   tags = {
		426 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		427 |   }
		428 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.Archive-DOC-Server
	File: /security_group.tf:574-583
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		574 | resource "aws_security_group" "Archive-DOC-Server" {
		575 |   count       = local.is-preproduction == false ? 1 : 0
		576 |   vpc_id      = data.aws_vpc.shared.id
		577 |   name        = "Archive-DOC-Server"
		578 |   description = "Archive-DOC-Server for DEV & PROD"
		579 | 
		580 |   tags = {
		581 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		582 |   }
		583 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ppud

*****************************

Running tflint in terraform/environments/ppud
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/ppud/certificate_mgmt.tf line 201:
 201: data "archive_file" "zip_the_certificate_expiry_prod" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/ppud/secrets.tf line 7:
   7: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/ppud

*****************************

Running Trivy in terraform/environments/ppud
2024-11-27T13:46:46Z	INFO	[vulndb] Need to update DB
2024-11-27T13:46:46Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-27T13:46:46Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-27T13:46:48Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-27T13:46:48Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-27T13:46:48Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-27T13:46:48Z	INFO	[misconfig] Need to update the built-in checks
2024-11-27T13:46:48Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-27T13:46:49Z	INFO	[secret] Secret scanning is enabled
2024-11-27T13:46:49Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-27T13:46:49Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-27T13:46:50Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-27T13:46:50Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_behavior_detected" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_engine_out_of_date" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_engine_update_failed" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_scan_failed" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_signature_update_failed" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_state_detected" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_instance.linux_instance_details" value="cty.NilVal"
2024-11-27T13:46:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_instance.windows_instance_details" value="cty.NilVal"
2024-11-27T13:46:51Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:119-132"
2024-11-27T13:46:51Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:119-132"
2024-11-27T13:46:51Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="alb_external.tf:92"
2024-11-27T13:46:51Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="iam.tf:925-932"
2024-11-27T13:46:51Z	INFO	Number of language-specific files	num=0
2024-11-27T13:46:51Z	INFO	Detected config files	num=6
trivy_exitcode=0

Updated to terraform_version: "1.9.8"

github-actions · 2024-11-27T13:50:26Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/ppud

Running Trivy in terraform/environments/ppud
2024-11-27T13:50:13Z INFO [vulndb] Need to update DB
2024-11-27T13:50:13Z INFO [vulndb] Downloading vulnerability DB...
2024-11-27T13:50:13Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-27T13:50:15Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-27T13:50:15Z INFO [vuln] Vulnerability scanning is enabled
2024-11-27T13:50:15Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-27T13:50:15Z INFO [misconfig] Need to update the built-in checks
2024-11-27T13:50:15Z INFO [misconfig] Downloading the built-in checks...
2024-11-27T13:50:15Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 306.546µs, allowed: 44000/minute\n\n"
2024-11-27T13:50:15Z INFO [secret] Secret scanning is enabled
2024-11-27T13:50:15Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-27T13:50:15Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-27T13:50:16Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-27T13:50:17Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_behavior_detected" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_engine_out_of_date" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_engine_update_failed" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_scan_failed" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_signature_update_failed" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware_event_state_detected" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.linux_instance_details" value="cty.NilVal"
2024-11-27T13:50:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.windows_instance_details" value="cty.NilVal"
2024-11-27T13:50:18Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:119-132"
2024-11-27T13:50:18Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:925-932"
2024-11-27T13:50:18Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="alb_external.tf:88-108"
2024-11-27T13:50:18Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:119-132"
2024-11-27T13:50:18Z INFO Number of language-specific files num=0
2024-11-27T13:50:18Z INFO Detected config files num=6
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ppud

*****************************

Running Checkov in terraform/environments/ppud
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 1087, Failed checks: 9, Skipped checks: 156

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.WAM-ALB
	File: /alb_external.tf:88-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		88  | resource "aws_lb" "WAM-ALB" {
		89  |   # checkov:skip=CKV2_AWS_28: "ALB is already protected by WAF"
		90  |   # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required"
		91  |   name               = local.application_data.accounts[local.environment].WAM_ALB
		92  |   internal           = false
		93  |   load_balancer_type = "application"
		94  |   security_groups    = [aws_security_group.WAM-ALB.id]
		95  |   subnets            = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id]
		96  |   #  access_logs {
		97  |   #    bucket  = aws_s3_bucket.moj-log-files-dev[0].id
		98  |   #    prefix  = "alb-logs"
		99  |   #    enabled = true
		100 |   #  }
		101 | 
		102 |   enable_deletion_protection = true
		103 |   drop_invalid_header_fields = true
		104 | 
		105 |   tags = {
		106 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		107 |   }
		108 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.WAM-Target-Group-Preprod
	File: /alb_external.tf:221-242

		221 | resource "aws_lb_target_group" "WAM-Target-Group-Preprod" {
		222 |   count    = local.is-preproduction == true ? 1 : 0
		223 |   name     = "WAM-Preprod"
		224 |   port     = 80
		225 |   protocol = "HTTP"
		226 |   vpc_id   = data.aws_vpc.shared.id
		227 | 
		228 |   health_check {
		229 |     enabled             = true
		230 |     path                = "/"
		231 |     interval            = 30
		232 |     protocol            = "HTTP"
		233 |     port                = 80
		234 |     timeout             = 5
		235 |     healthy_threshold   = 5
		236 |     unhealthy_threshold = 2
		237 |     matcher             = "302"
		238 |   }
		239 |   tags = {
		240 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		241 |   }
		242 | }

Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol"
	FAILED for resource: aws_lb_target_group.WAM-Target-Group-Prod
	File: /alb_external.tf:244-265

		244 | resource "aws_lb_target_group" "WAM-Target-Group-Prod" {
		245 |   count    = local.is-production == true ? 1 : 0
		246 |   name     = "WAM-Prod"
		247 |   port     = 80
		248 |   protocol = "HTTP"
		249 |   vpc_id   = data.aws_vpc.shared.id
		250 | 
		251 |   health_check {
		252 |     enabled             = true
		253 |     path                = "/"
		254 |     interval            = 30
		255 |     protocol            = "HTTP"
		256 |     port                = 80
		257 |     timeout             = 5
		258 |     healthy_threshold   = 5
		259 |     unhealthy_threshold = 2
		260 |     matcher             = "302"
		261 |   }
		262 |   tags = {
		263 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		264 |   }
		265 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.PPUD-internal-ALB
	File: /alb_internal.tf:5-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		5  | resource "aws_lb" "PPUD-internal-ALB" {
		6  |   # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required"
		7  |   count              = local.is-development == false ? 1 : 0
		8  |   name               = local.application_data.accounts[local.environment].PPUD_Internal_ALB
		9  |   internal           = true
		10 |   idle_timeout       = 240
		11 |   load_balancer_type = "application"
		12 |   security_groups    = [aws_security_group.PPUD-ALB.id]
		13 |   subnets            = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
		14 |   #  access_logs {
		15 |   #    bucket  = aws_s3_bucket.moj-log-files-uat[0].id
		16 |   #    prefix  = "alb-logs"
		17 |   #    enabled = true
		18 |   #  }
		19 | 
		20 |   enable_deletion_protection = true
		21 |   drop_invalid_header_fields = true
		22 | 
		23 |   tags = {
		24 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		25 |   }
		26 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.ppud_internal_nlb
	File: /endpointservice.tf:17-36
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		17 | resource "aws_lb" "ppud_internal_nlb" {
		18 |   # checkov:skip=CKV2_AWS_28: "ALB is already protected by WAF"
		19 |   # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required"
		20 |   count                      = local.is-production == true ? 1 : 0
		21 |   name                       = "ppud-internal-nlb"
		22 |   internal                   = true
		23 |   load_balancer_type         = "network"
		24 |   subnets                    = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
		25 |   security_groups            = [aws_security_group.PPUD-ALB.id]
		26 |   enable_deletion_protection = true
		27 |   #access_logs {
		28 |   # bucket  = aws_s3_bucket.moj-log-files-prod[0].id
		29 |   # prefix  = "alb-logs"
		30 |   # enabled = true
		31 |   #}
		32 | 
		33 |   tags = {
		34 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		35 |   }
		36 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_graph_dev
	File: /lambda.tf:498-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		498 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_graph_dev" {
		499 |   # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
		500 |   count                          = local.is-development == true ? 1 : 0
		501 |   filename                       = "${path.module}/lambda_scripts/send_cpu_graph_dev.zip"
		502 |   function_name                  = "send_cpu_graph"
		503 |   role                           = aws_iam_role.lambda_role_cloudwatch_get_metric_data_dev[0].arn
		504 |   handler                        = "send_cpu_graph_dev.lambda_handler"
		505 |   runtime                        = "python3.12"
		506 |   timeout                        = 300
		507 |   depends_on                     = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_get_metric_data_to_lambda_role_cloudwatch_get_metric_data_dev]
		508 |   reserved_concurrent_executions = 5
		509 |  # code_signing_config_arn        = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f"
		510 |  # dead_letter_config {
		511 |  #   target_arn = aws_sqs_queue.lambda_queue_dev[0].arn
		512 |  # }
		513 |   tracing_config {
		514 |     mode = "Active"
		515 |   }
		516 |    layers = [
		517 |     "arn:aws:lambda:eu-west-2:770693421928:layer:Klayers-p312-numpy:8", #Publically available ARN for numpy package
		518 |     "arn:aws:lambda:eu-west-2:770693421928:layer:Klayers-p312-pillow:1" #Publically available ARN for pillow package
		519 | #   "arn:aws:lambda:eu-west-2:${data.aws_ssm_parameter.klayers_account.value}:layer:Klayers-p312-numpy:8",
		520 | #   "arn:aws:lambda:eu-west-2:${data.aws_ssm_parameter.klayers_account.value}:layer:Klayers-p312-pillow:1" 
		521 |   ]
		522 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_graph_dev
	File: /lambda.tf:498-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		498 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_graph_dev" {
		499 |   # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
		500 |   count                          = local.is-development == true ? 1 : 0
		501 |   filename                       = "${path.module}/lambda_scripts/send_cpu_graph_dev.zip"
		502 |   function_name                  = "send_cpu_graph"
		503 |   role                           = aws_iam_role.lambda_role_cloudwatch_get_metric_data_dev[0].arn
		504 |   handler                        = "send_cpu_graph_dev.lambda_handler"
		505 |   runtime                        = "python3.12"
		506 |   timeout                        = 300
		507 |   depends_on                     = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_get_metric_data_to_lambda_role_cloudwatch_get_metric_data_dev]
		508 |   reserved_concurrent_executions = 5
		509 |  # code_signing_config_arn        = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f"
		510 |  # dead_letter_config {
		511 |  #   target_arn = aws_sqs_queue.lambda_queue_dev[0].arn
		512 |  # }
		513 |   tracing_config {
		514 |     mode = "Active"
		515 |   }
		516 |    layers = [
		517 |     "arn:aws:lambda:eu-west-2:770693421928:layer:Klayers-p312-numpy:8", #Publically available ARN for numpy package
		518 |     "arn:aws:lambda:eu-west-2:770693421928:layer:Klayers-p312-pillow:1" #Publically available ARN for pillow package
		519 | #   "arn:aws:lambda:eu-west-2:${data.aws_ssm_parameter.klayers_account.value}:layer:Klayers-p312-numpy:8",
		520 | #   "arn:aws:lambda:eu-west-2:${data.aws_ssm_parameter.klayers_account.value}:layer:Klayers-p312-pillow:1" 
		521 |   ]
		522 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.Live-DOC-Server
	File: /security_group.tf:419-428
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		419 | resource "aws_security_group" "Live-DOC-Server" {
		420 |   count       = local.is-preproduction == false ? 1 : 0
		421 |   vpc_id      = data.aws_vpc.shared.id
		422 |   name        = "Live-DOC-Server"
		423 |   description = "Live-DOC-Server for DEV & PROD"
		424 | 
		425 |   tags = {
		426 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		427 |   }
		428 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.Archive-DOC-Server
	File: /security_group.tf:574-583
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		574 | resource "aws_security_group" "Archive-DOC-Server" {
		575 |   count       = local.is-preproduction == false ? 1 : 0
		576 |   vpc_id      = data.aws_vpc.shared.id
		577 |   name        = "Archive-DOC-Server"
		578 |   description = "Archive-DOC-Server for DEV & PROD"
		579 | 
		580 |   tags = {
		581 |     Name = "${var.networking[0].business-unit}-${local.environment}"
		582 |   }
		583 | }


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ppud

*****************************

Running tflint in terraform/environments/ppud
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/ppud/certificate_mgmt.tf line 201:
 201: data "archive_file" "zip_the_certificate_expiry_prod" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/ppud/secrets.tf line 7:
   7: resource "random_password" "password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/ppud

*****************************

Running Trivy in terraform/environments/ppud
2024-11-27T13:50:13Z	INFO	[vulndb] Need to update DB
2024-11-27T13:50:13Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-27T13:50:13Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-27T13:50:15Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-27T13:50:15Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-27T13:50:15Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-27T13:50:15Z	INFO	[misconfig] Need to update the built-in checks
2024-11-27T13:50:15Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-27T13:50:15Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 306.546µs, allowed: 44000/minute\n\n"
2024-11-27T13:50:15Z	INFO	[secret] Secret scanning is enabled
2024-11-27T13:50:15Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-27T13:50:15Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-27T13:50:16Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-27T13:50:17Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_behavior_detected" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_engine_out_of_date" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_engine_update_failed" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_scan_failed" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_signature_update_failed" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.malware_event_state_detected" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_instance.linux_instance_details" value="cty.NilVal"
2024-11-27T13:50:17Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_instance.windows_instance_details" value="cty.NilVal"
2024-11-27T13:50:18Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:119-132"
2024-11-27T13:50:18Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="iam.tf:925-932"
2024-11-27T13:50:18Z	INFO	[terraform executor] Ignore finding	rule="aws-elb-alb-not-public" range="alb_external.tf:88-108"
2024-11-27T13:50:18Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:119-132"
2024-11-27T13:50:18Z	INFO	Number of language-specific files	num=0
2024-11-27T13:50:18Z	INFO	Detected config files	num=6
trivy_exitcode=0

Buckingham added 3 commits November 27, 2024 10:53

Update_271124_5

cc7c263

Update_271124_6

7aee9f2

Update_271124_7

c159726

nbuckingham72 requested review from a team as code owners November 27, 2024 13:44

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Nov 27, 2024

Update ppud.yml

75dd0dd

Updated to terraform_version: "1.9.8"

github-actions bot added the github-workflow label Nov 27, 2024

nbuckingham72 closed this Nov 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update 271124 7 #8830

Update 271124 7 #8830

nbuckingham72 commented Nov 27, 2024

github-actions bot commented Nov 27, 2024

github-actions bot commented Nov 27, 2024

Update 271124 7 #8830

Update 271124 7 #8830

Conversation

nbuckingham72 commented Nov 27, 2024

github-actions bot commented Nov 27, 2024

Trivy Scan Success

CTFLint Scan Failed

Trivy Scan Success

github-actions bot commented Nov 27, 2024

Trivy Scan Success

CTFLint Scan Failed

Trivy Scan Success

`Trivy Scan` Success

`CTFLint Scan` Failed

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Failed

`Trivy Scan` Success