Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.16.0 in /terraform/environments/analytical-platform-ingestion #8849

dependabot · 2024-11-28T01:06:50Z

Bumps terraform-aws-modules/lambda/aws from 7.9.0 to 7.16.0.

Release notes

Sourced from terraform-aws-modules/lambda/aws's releases.

v7.16.0

7.16.0 (2024-11-26)

Features

Radically redesign the build plan form (#646) (32d8d06)

v7.15.0

7.15.0 (2024-11-18)

Features

Make source_path blocks independent (#640) (0fdac2e)

v7.14.1

7.14.1 (2024-11-17)

Bug Fixes

Skip broken symlinks on hash computing (#639) (c28b940)

v7.14.0

7.14.0 (2024-10-11)

Features

Support lambda function vpc_config.ipv6_allowed_for_dual_stack and event source mapping tags (#628) (2a602f9)

Bug Fixes

Update CI workflow versions to latest (#631) (d06718f)

v7.13.0

7.13.0 (2024-10-05)

Features

Support aws_lambda_event_source_mapping.document_db_event_source_config (#626) (5d48199)

v7.12.0

7.12.0 (2024-10-05)

Features

... (truncated)

Changelog

Sourced from terraform-aws-modules/lambda/aws's changelog.

7.16.0 (2024-11-26)

Features

Radically redesign the build plan form (#646) (32d8d06)

7.15.0 (2024-11-18)

Features

Make source_path blocks independent (#640) (0fdac2e)

7.14.1 (2024-11-17)

Bug Fixes

Skip broken symlinks on hash computing (#639) (c28b940)

7.14.0 (2024-10-11)

Features

Support lambda function vpc_config.ipv6_allowed_for_dual_stack and event source mapping tags (#628) (2a602f9)

Bug Fixes

Update CI workflow versions to latest (#631) (d06718f)

7.13.0 (2024-10-05)

Features

Support aws_lambda_event_source_mapping.document_db_event_source_config (#626) (5d48199)

7.12.0 (2024-10-05)

Features

Add support for kafka event source config (#617) (2c077cb)

7.11.0 (2024-10-01)

... (truncated)

Commits

abd5a15 chore(release): version 7.16.0 [skip ci]
32d8d06 feat: Radically redesign the build plan form (#646)
1fe3e4a chore(release): version 7.15.0 [skip ci]
0fdac2e feat: Make source_path blocks independent (#640)
ce8417e chore(release): version 7.14.1 [skip ci]
c28b940 fix: Skip broken symlinks on hash computing (#639)
00a7172 chore(release): version 7.14.0 [skip ci]
2a602f9 feat: Support lambda function vpc_config.ipv6_allowed_for_dual_stack and ev...
d06718f fix: Update CI workflow versions to latest (#631)
7bd028b chore(release): version 7.13.0 [skip ci]
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [terraform-aws-modules/lambda/aws](https://github.com/terraform-aws-modules/terraform-aws-lambda) from 7.9.0 to 7.16.0. - [Release notes](https://github.com/terraform-aws-modules/terraform-aws-lambda/releases) - [Changelog](https://github.com/terraform-aws-modules/terraform-aws-lambda/blob/master/CHANGELOG.md) - [Commits](terraform-aws-modules/terraform-aws-lambda@v7.9.0...v7.16.0) --- updated-dependencies: - dependency-name: terraform-aws-modules/lambda/aws dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-11-28T01:09:17Z

`Trivy Scan` Failed

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-11-28T01:09:01Z INFO [vulndb] Need to update DB
2024-11-28T01:09:01Z INFO [vulndb] Downloading vulnerability DB...
2024-11-28T01:09:01Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T01:09:04Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T01:09:04Z INFO [vuln] Vulnerability scanning is enabled
2024-11-28T01:09:04Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-28T01:09:04Z INFO [misconfig] Need to update the built-in checks
2024-11-28T01:09:04Z INFO [misconfig] Downloading the built-in checks...
2024-11-28T01:09:04Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 380.545µs, allowed: 44000/minute\n\n"
2024-11-28T01:09:04Z INFO [secret] Secret scanning is enabled
2024-11-28T01:09:04Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T01:09:04Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T01:09:05Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-28T01:09:05Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-28T01:09:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-11-28T01:09:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal"
2024-11-28T01:09:05Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:11Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-28T01:09:11Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-28T01:09:11Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-11-28T01:09:11Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-11-28T01:09:11Z INFO Number of language-specific files num=0
2024-11-28T01:09:11Z INFO Detected config files num=8

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81
via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
12 ┌ resource "aws_lb" "this" {
13 │ count = local.create ? 1 : 0
14 │
15 │ dynamic "access_logs" {
16 │ for_each = length(var.access_logs) > 0 ? [var.access_logs] : []
17 │
18 │ content {
19 │ bucket = access_logs.value.bucket
20 └ enabled = try(access_logs.value.enabled, true)
..
────────────────────────────────────────

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
328 resource "aws_network_acl_rule" "private_outbound" {
...
340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"]
...
343 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
311 resource "aws_network_acl_rule" "private_inbound" {
...
323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"]
...
326 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
209 resource "aws_network_acl_rule" "public_outbound" {
...
221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"]
...
224 }
────────────────────────────────────────

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.

See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
192 resource "aws_network_acl_rule" "public_inbound" {
...
204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"]
...
207 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Checkov in terraform/environments/analytical-platform-ingestion
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-28 01:09:13,596 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,596 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,596 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,596 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-rule-associations:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,597 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,597 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,597 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,597 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/route53/aws//modules/resolver-endpoints:4.1.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,597 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.16.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,597 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,598 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,598 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,598 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,598 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,598 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,598 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required)
2024-11-28 01:09:13,599 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 201, Failed checks: 0, Skipped checks: 76


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running tflint in terraform/environments/analytical-platform-ingestion
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-ingestion

*****************************

Running Trivy in terraform/environments/analytical-platform-ingestion
2024-11-28T01:09:01Z	INFO	[vulndb] Need to update DB
2024-11-28T01:09:01Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-28T01:09:01Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T01:09:04Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-28T01:09:04Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-28T01:09:04Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-28T01:09:04Z	INFO	[misconfig] Need to update the built-in checks
2024-11-28T01:09:04Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-28T01:09:04Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 380.545µs, allowed: 44000/minute\n\n"
2024-11-28T01:09:04Z	INFO	[secret] Secret scanning is enabled
2024-11-28T01:09:04Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-28T01:09:04Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-28T01:09:05Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-28T01:09:05Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-28T01:09:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal"
2024-11-28T01:09:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users" value="cty.NilVal"
2024-11-28T01:09:05Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.sftp_users_with_egress" value="cty.NilVal"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bold_egress_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_replication_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_replication_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.datasync_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definitions_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_s3_bucket_server_side_encryption_configuration.this[0].dynamic.rule block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:09Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.definition_upload_lambda.aws_lambda_function.this[0]" err="2 errors occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-28T01:09:11Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-28T01:09:11Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198"
2024-11-28T01:09:11Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533"
2024-11-28T01:09:11Z	INFO	[terraform executor] Ignore finding	rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534"
2024-11-28T01:09:11Z	INFO	Number of language-specific files	num=0
2024-11-28T01:09:11Z	INFO	Detected config files	num=8

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)
===============================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81
   via network-load-balancers.tf:1-37 (module.datasync_activation_nlb)
────────────────────────────────────────
  12 ┌ resource "aws_lb" "this" {
  13 │   count = local.create ? 1 : 0
  14 │ 
  15 │   dynamic "access_logs" {
  16 │     for_each = length(var.access_logs) > 0 ? [var.access_logs] : []
  17 │ 
  18 │     content {
  19 │       bucket  = access_logs.value.bucket
  20 └       enabled = try(access_logs.value.enabled, true)
  ..   
────────────────────────────────────────



git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)
===============================================================================================================================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 0, CRITICAL: 4)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 328   resource "aws_network_acl_rule" "private_outbound" {
 ...   
 340 [   protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
 ...   
 343   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 311   resource "aws_network_acl_rule" "private_inbound" {
 ...   
 323 [   protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
 ...   
 326   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 209   resource "aws_network_acl_rule" "public_outbound" {
 ...   
 221 [   protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
 ...   
 224   }
────────────────────────────────────────


AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
────────────────────────────────────────
 git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204
   via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0])
    via vpc.tf:1-23 (module.connected_vpc)
────────────────────────────────────────
 192   resource "aws_network_acl_rule" "public_inbound" {
 ...   
 204 [   protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
 ...   
 207   }
────────────────────────────────────────


trivy_exitcode=1

dependabot · 2024-12-02T14:33:42Z

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

dependabot bot added the dependencies Pull requests that update a dependency file label Nov 28, 2024

dependabot bot requested a review from a team as a code owner November 28, 2024 01:06

dependabot bot added the terraform Pull requests that update Terraform code label Nov 28, 2024

dependabot bot requested a review from a team as a code owner November 28, 2024 01:06

dependabot bot mentioned this pull request Nov 28, 2024

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.15.0 in /terraform/environments/analytical-platform-ingestion #8705

Closed

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Nov 28, 2024

wullub closed this Dec 2, 2024

wullub deleted the dependabot/terraform/terraform/environments/analytical-platform-ingestion/terraform-aws-modules/lambda/aws-7.16.0 branch December 2, 2024 14:33

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.16.0 in /terraform/environments/analytical-platform-ingestion #8849

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.16.0 in /terraform/environments/analytical-platform-ingestion #8849

dependabot bot commented on behalf of github Nov 28, 2024

github-actions bot commented Nov 28, 2024

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

dependabot bot commented on behalf of github Dec 2, 2024

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.16.0 in /terraform/environments/analytical-platform-ingestion #8849

Bump terraform-aws-modules/lambda/aws from 7.9.0 to 7.16.0 in /terraform/environments/analytical-platform-ingestion #8849

Conversation

dependabot bot commented on behalf of github Nov 28, 2024

v7.16.0

7.16.0 (2024-11-26)

Features

v7.15.0

7.15.0 (2024-11-18)

Features

v7.14.1

7.14.1 (2024-11-17)

Bug Fixes

v7.14.0

7.14.0 (2024-10-11)

Features

Bug Fixes

v7.13.0

7.13.0 (2024-10-05)

Features

v7.12.0

7.12.0 (2024-10-05)

Features

7.16.0 (2024-11-26)

Features

7.15.0 (2024-11-18)

Features

7.14.1 (2024-11-17)

Bug Fixes

7.14.0 (2024-10-11)

Features

Bug Fixes

7.13.0 (2024-10-05)

Features

7.12.0 (2024-10-05)

Features

7.11.0 (2024-10-01)

github-actions bot commented Nov 28, 2024

Trivy Scan Failed

git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform)

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform)

CTFLint Scan Success

Trivy Scan Failed

dependabot bot commented on behalf of github Dec 2, 2024

`Trivy Scan` Failed

`CTFLint Scan` Success

`Trivy Scan` Failed