Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CMT front end role #8896

Merged
merged 5 commits into from
Dec 3, 2024
Merged

Update CMT front end role #8896

merged 5 commits into from
Dec 3, 2024

Conversation

pricemg
Copy link
Contributor

@pricemg pricemg commented Nov 29, 2024

No description provided.

@pricemg pricemg requested review from a team as code owners November 29, 2024 12:36
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Nov 29, 2024
JazJax
JazJax previously approved these changes Nov 29, 2024
View reviewed changes
Copy link
Contributor

@JazJax JazJax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-29T12:38:47Z INFO [vulndb] Need to update DB
2024-11-29T12:38:47Z INFO [vulndb] Downloading vulnerability DB...
2024-11-29T12:38:47Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T12:38:49Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T12:38:49Z INFO [vuln] Vulnerability scanning is enabled
2024-11-29T12:38:49Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-29T12:38:49Z INFO [misconfig] Need to update the built-in checks
2024-11-29T12:38:49Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-29T12:38:50Z INFO [secret] Secret scanning is enabled
2024-11-29T12:38:50Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-29T12:38:50Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-29T12:38:52Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-29T12:38:52Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-29T12:38:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-29T12:39:01Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-29T12:39:01Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-11-29T12:39:01Z INFO Number of language-specific files num=1
2024-11-29T12:39:01Z INFO [pip] Detecting vulnerabilities...
2024-11-29T12:39:01Z INFO Detected config files num=17

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-29 12:39:03,894 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required)
2024-11-29 12:39:03,895 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required)
2024-11-29 12:39:03,895 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:None (for external modules, the --download-external-modules flag is required)
2024-11-29 12:39:03,895 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2024-11-29 12:39:03,895 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2024-11-29 12:39:03,895 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 2975, Failed checks: 80, Skipped checks: 95

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_events
	File: /data_store.tf:17-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "s3_events" {
		18 |   name = "${module.s3-data-bucket.bucket.id}-object-created-topic"
		19 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:373-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		373 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		374 |   count = local.gluejob_count
		375 | 
		376 |   name              = "catalog-dv-table-glue-job"
		377 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		378 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		379 |   glue_version      = "4.0"
		380 |   worker_type       = "G.1X"
		381 |   number_of_workers = 2
		382 |   default_arguments = {
		383 |     "--parquet_output_bucket_name"       = module.s3-dms-data-validation-bucket.bucket.id
		384 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		385 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		386 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		387 |     "--enable-continuous-cloudwatch-log" = "true"
		388 |     "--enable-continuous-log-filter"     = "true"
		389 |     "--enable-metrics"                   = ""
		390 |   }
		391 |   command {
		392 |     python_version  = "3"
		393 |     script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py"
		394 |   }
		395 | 
		396 |   tags = merge(
		397 |     local.tags,
		398 |     {
		399 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		400 |     }
		401 |   )
		402 | 
		403 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:22-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:99-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:169-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:238-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:319-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:388-438
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:454-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:521-576
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:590-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.athena_layer.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.get_zipped_file_api.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		81 | resource "aws_security_group" "glue_rds_conn_security_group" {
		82 |   name        = "glue-rds-sqlserver-connection-tf"
		83 |   description = "Secuity Group for Glue-RDS-Connection"
		84 |   vpc_id      = data.aws_vpc.shared.id
		85 | 
		86 |   tags = merge(
		87 |     local.tags,
		88 |     {
		89 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		90 |     }
		91 |   )
		92 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: module "cmt_front_end_assumable_role" should specify a version (terraform_module_version)

  on terraform/environments/electronic-monitoring-data/cloud_platform_share.tf line 1:
   1: module "cmt_front_end_assumable_role" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_version.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 151:
 151: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: `s3_pylib_dir_path` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/glue_variables.tf line 1:
   1: variable "s3_pylib_dir_path" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-29T12:38:47Z	INFO	[vulndb] Need to update DB
2024-11-29T12:38:47Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-29T12:38:47Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T12:38:49Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T12:38:49Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-29T12:38:49Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-29T12:38:49Z	INFO	[misconfig] Need to update the built-in checks
2024-11-29T12:38:49Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-29T12:38:50Z	INFO	[secret] Secret scanning is enabled
2024-11-29T12:38:50Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-29T12:38:50Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-29T12:38:52Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-29T12:38:52Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-29T12:38:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:53Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:38:54Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-29T12:39:01Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-29T12:39:01Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-11-29T12:39:01Z	INFO	Number of language-specific files	num=1
2024-11-29T12:39:01Z	INFO	[pip] Detecting vulnerabilities...
2024-11-29T12:39:01Z	INFO	Detected config files	num=17

lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


trivy_exitcode=1

@pricemg pricemg temporarily deployed to electronic-monitoring-data-development November 29, 2024 12:41 — with GitHub Actions Inactive
@JazJax
Update terraform/environments/electronic-monitoring-data/cloud_platfo…
696a779 
…rm_share.tf


suggested version add to make static analysis happy
@JazJax JazJax temporarily deployed to electronic-monitoring-data-development November 29, 2024 13:16 — with GitHub Actions Inactive
@JazJax
Update cloud_platform_share.tf
3dddca5 
I got the assumed role bit wrong, I think
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-29T13:47:19Z INFO [vulndb] Need to update DB
2024-11-29T13:47:19Z INFO [vulndb] Downloading vulnerability DB...
2024-11-29T13:47:19Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T13:47:22Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T13:47:22Z INFO [vuln] Vulnerability scanning is enabled
2024-11-29T13:47:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-29T13:47:22Z INFO [misconfig] Need to update the built-in checks
2024-11-29T13:47:22Z INFO [misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-29T13:47:22Z INFO [secret] Secret scanning is enabled
2024-11-29T13:47:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-29T13:47:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-29T13:47:23Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-29T13:47:23Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-29T13:47:31Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-29T13:47:32Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-11-29T13:47:32Z INFO Number of language-specific files num=1
2024-11-29T13:47:32Z INFO [pip] Detecting vulnerabilities...
2024-11-29T13:47:32Z INFO Detected config files num=17

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-29 13:47:34,963 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required)
2024-11-29 13:47:34,963 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required)
2024-11-29 13:47:34,963 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.48.0 (for external modules, the --download-external-modules flag is required)
2024-11-29 13:47:34,964 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2024-11-29 13:47:34,964 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2024-11-29 13:47:34,964 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 2975, Failed checks: 80, Skipped checks: 95

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_events
	File: /data_store.tf:17-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "s3_events" {
		18 |   name = "${module.s3-data-bucket.bucket.id}-object-created-topic"
		19 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:373-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		373 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		374 |   count = local.gluejob_count
		375 | 
		376 |   name              = "catalog-dv-table-glue-job"
		377 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		378 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		379 |   glue_version      = "4.0"
		380 |   worker_type       = "G.1X"
		381 |   number_of_workers = 2
		382 |   default_arguments = {
		383 |     "--parquet_output_bucket_name"       = module.s3-dms-data-validation-bucket.bucket.id
		384 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		385 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		386 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		387 |     "--enable-continuous-cloudwatch-log" = "true"
		388 |     "--enable-continuous-log-filter"     = "true"
		389 |     "--enable-metrics"                   = ""
		390 |   }
		391 |   command {
		392 |     python_version  = "3"
		393 |     script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py"
		394 |   }
		395 | 
		396 |   tags = merge(
		397 |     local.tags,
		398 |     {
		399 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		400 |     }
		401 |   )
		402 | 
		403 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:22-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:99-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:169-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:238-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:319-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:388-438
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:454-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:521-576
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:590-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.athena_layer.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.get_zipped_file_api.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		81 | resource "aws_security_group" "glue_rds_conn_security_group" {
		82 |   name        = "glue-rds-sqlserver-connection-tf"
		83 |   description = "Secuity Group for Glue-RDS-Connection"
		84 |   vpc_id      = data.aws_vpc.shared.id
		85 | 
		86 |   tags = merge(
		87 |     local.tags,
		88 |     {
		89 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		90 |     }
		91 |   )
		92 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 151:
 151: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: `s3_pylib_dir_path` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/glue_variables.tf line 1:
   1: variable "s3_pylib_dir_path" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-29T13:47:19Z	INFO	[vulndb] Need to update DB
2024-11-29T13:47:19Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-29T13:47:19Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T13:47:22Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T13:47:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-29T13:47:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-29T13:47:22Z	INFO	[misconfig] Need to update the built-in checks
2024-11-29T13:47:22Z	INFO	[misconfig] Downloading the built-in checks...
160.25 KiB / 160.25 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-11-29T13:47:22Z	INFO	[secret] Secret scanning is enabled
2024-11-29T13:47:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-29T13:47:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-29T13:47:23Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-29T13:47:23Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:25Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-29T13:47:31Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-29T13:47:32Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-11-29T13:47:32Z	INFO	Number of language-specific files	num=1
2024-11-29T13:47:32Z	INFO	[pip] Detecting vulnerabilities...
2024-11-29T13:47:32Z	INFO	Detected config files	num=17

lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


trivy_exitcode=1

@JazJax JazJax temporarily deployed to electronic-monitoring-data-development November 29, 2024 13:47 — with GitHub Actions Inactive
@JazJax
Update cloud_platform_share.tf
ee6c3d4 
removed requirement for MFA - not useful for service accounts
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-29T15:10:08Z INFO [vulndb] Need to update DB
2024-11-29T15:10:08Z INFO [vulndb] Downloading vulnerability DB...
2024-11-29T15:10:08Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T15:10:11Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T15:10:11Z INFO [vuln] Vulnerability scanning is enabled
2024-11-29T15:10:11Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-29T15:10:11Z INFO [misconfig] Need to update the built-in checks
2024-11-29T15:10:11Z INFO [misconfig] Downloading the built-in checks...
2024-11-29T15:10:11Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 404.149µs, allowed: 44000/minute"
2024-11-29T15:10:11Z INFO [secret] Secret scanning is enabled
2024-11-29T15:10:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-29T15:10:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-29T15:10:12Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-29T15:10:12Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-29T15:10:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-29T15:10:22Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-11-29T15:10:22Z INFO Number of language-specific files num=1
2024-11-29T15:10:22Z INFO [pip] Detecting vulnerabilities...
2024-11-29T15:10:22Z INFO Detected config files num=17

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-29 15:10:24,587 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required)
2024-11-29 15:10:24,587 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required)
2024-11-29 15:10:24,587 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.48.0 (for external modules, the --download-external-modules flag is required)
2024-11-29 15:10:24,587 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2024-11-29 15:10:24,587 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2024-11-29 15:10:24,587 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 2975, Failed checks: 80, Skipped checks: 95

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_events
	File: /data_store.tf:17-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "s3_events" {
		18 |   name = "${module.s3-data-bucket.bucket.id}-object-created-topic"
		19 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:373-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		373 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		374 |   count = local.gluejob_count
		375 | 
		376 |   name              = "catalog-dv-table-glue-job"
		377 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		378 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		379 |   glue_version      = "4.0"
		380 |   worker_type       = "G.1X"
		381 |   number_of_workers = 2
		382 |   default_arguments = {
		383 |     "--parquet_output_bucket_name"       = module.s3-dms-data-validation-bucket.bucket.id
		384 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		385 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		386 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		387 |     "--enable-continuous-cloudwatch-log" = "true"
		388 |     "--enable-continuous-log-filter"     = "true"
		389 |     "--enable-metrics"                   = ""
		390 |   }
		391 |   command {
		392 |     python_version  = "3"
		393 |     script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py"
		394 |   }
		395 | 
		396 |   tags = merge(
		397 |     local.tags,
		398 |     {
		399 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		400 |     }
		401 |   )
		402 | 
		403 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:22-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:99-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:169-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:238-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:319-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:388-438
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:454-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:521-576
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:590-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.athena_layer.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.get_zipped_file_api.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		81 | resource "aws_security_group" "glue_rds_conn_security_group" {
		82 |   name        = "glue-rds-sqlserver-connection-tf"
		83 |   description = "Secuity Group for Glue-RDS-Connection"
		84 |   vpc_id      = data.aws_vpc.shared.id
		85 | 
		86 |   tags = merge(
		87 |     local.tags,
		88 |     {
		89 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		90 |     }
		91 |   )
		92 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: `s3_pylib_dir_path` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/glue_variables.tf line 1:
   1: variable "s3_pylib_dir_path" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 115:
 115: data "archive_file" "query_output_to_list" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-11-29T15:10:08Z	INFO	[vulndb] Need to update DB
2024-11-29T15:10:08Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-29T15:10:08Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T15:10:11Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-29T15:10:11Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-29T15:10:11Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-29T15:10:11Z	INFO	[misconfig] Need to update the built-in checks
2024-11-29T15:10:11Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-29T15:10:11Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16442a4593a0395452e678ef699a880eec94d9211dfc887d52574beb78b95030: TOOMANYREQUESTS: retry-after: 404.149µs, allowed: 44000/minute"
2024-11-29T15:10:11Z	INFO	[secret] Secret scanning is enabled
2024-11-29T15:10:11Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-29T15:10:11Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-29T15:10:12Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-29T15:10:12Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:14Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:15Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-11-29T15:10:21Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-11-29T15:10:22Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-11-29T15:10:22Z	INFO	Number of language-specific files	num=1
2024-11-29T15:10:22Z	INFO	[pip] Detecting vulnerabilities...
2024-11-29T15:10:22Z	INFO	Detected config files	num=17

lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


trivy_exitcode=1

@JazJax JazJax temporarily deployed to electronic-monitoring-data-development November 29, 2024 15:18 — with GitHub Actions Inactive
@JazJax JazJax temporarily deployed to electronic-monitoring-data-test November 29, 2024 15:34 — with GitHub Actions Inactive
@JazJax JazJax temporarily deployed to electronic-monitoring-data-development November 29, 2024 15:59 — with GitHub Actions Inactive
@luke-a-williams
Copy link
Contributor

I've seen this work, approved

@JazJax JazJax had a problem deploying to electronic-monitoring-data-test November 29, 2024 21:16 — with GitHub Actions Error
@JazJax JazJax had a problem deploying to electronic-monitoring-data-test December 2, 2024 17:05 — with GitHub Actions Failure
@JazJax JazJax had a problem deploying to electronic-monitoring-data-development December 2, 2024 17:05 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 2, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

Running Trivy in terraform/environments/electronic-monitoring-data
2024-12-02T17:05:35Z INFO [vulndb] Need to update DB
2024-12-02T17:05:35Z INFO [vulndb] Downloading vulnerability DB...
2024-12-02T17:05:35Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-02T17:05:37Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-02T17:05:37Z INFO [vuln] Vulnerability scanning is enabled
2024-12-02T17:05:37Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-02T17:05:37Z INFO [misconfig] Need to update the built-in checks
2024-12-02T17:05:37Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-02T17:05:37Z INFO [secret] Secret scanning is enabled
2024-12-02T17:05:37Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-02T17:05:37Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-02T17:05:38Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="site-packages directory not found"
2024-12-02T17:05:39Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-02T17:05:39Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-12-02T17:05:48Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-12-02T17:05:48Z INFO Number of language-specific files num=1
2024-12-02T17:05:48Z INFO [pip] Detecting vulnerabilities...
2024-12-02T17:05:48Z INFO Detected config files num=17

lambdas/update_log_table/Dockerfile (dockerfile)

Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-12-02 17:05:50,622 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required)
2024-12-02 17:05:50,623 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required)
2024-12-02 17:05:50,623 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.48.0 (for external modules, the --download-external-modules flag is required)
2024-12-02 17:05:50,623 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
2024-12-02 17:05:50,623 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
2024-12-02 17:05:50,623 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 2975, Failed checks: 80, Skipped checks: 95

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_events
	File: /data_store.tf:17-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		17 | resource "aws_sns_topic" "s3_events" {
		18 |   name = "${module.s3-data-bucket.bucket.id}-object-created-topic"
		19 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.calculate_checksum_lambda
	File: /data_store.tf:82-98
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		82 | resource "aws_lambda_function" "calculate_checksum_lambda" {
		83 |   filename      = "lambdas/calculate_checksum_lambda.zip"
		84 |   function_name = "calculate-checksum-lambda"
		85 |   role          = aws_iam_role.calculate_checksum_lambda.arn
		86 |   handler       = "calculate_checksum_lambda.handler"
		87 |   runtime       = "python3.12"
		88 |   memory_size   = 4096
		89 |   timeout       = 900
		90 | 
		91 |   environment {
		92 |     variables = {
		93 |       Checksum = var.checksum_algorithm
		94 |     }
		95 |   }
		96 | 
		97 |   tags = local.tags
		98 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: aws_lambda_function.summarise_zip_lambda
	File: /data_store.tf:157-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		157 | resource "aws_lambda_function" "summarise_zip_lambda" {
		158 |   filename         = "lambdas/summarise_zip_lambda.zip"
		159 |   function_name    = "summarise-zip-lambda"
		160 |   role             = aws_iam_role.summarise_zip_lambda.arn
		161 |   handler          = "summarise_zip_lambda.handler"
		162 |   runtime          = "python3.12"
		163 |   timeout          = 900
		164 |   memory_size      = 1024
		165 |   layers           = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"]
		166 |   source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256
		167 |   tags             = local.tags
		168 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group
	File: /dms_data_validation_glue_job.tf:58-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" {
		59 |   name              = "dms-dv-glue-job"
		60 |   retention_in_days = 14
		61 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.catalog_dv_table_glue_job
	File: /dms_data_validation_glue_job.tf:373-403
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		373 | resource "aws_glue_job" "catalog_dv_table_glue_job" {
		374 |   count = local.gluejob_count
		375 | 
		376 |   name              = "catalog-dv-table-glue-job"
		377 |   description       = "Python script uses Boto3-Athena-Client to run sql-statements"
		378 |   role_arn          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		379 |   glue_version      = "4.0"
		380 |   worker_type       = "G.1X"
		381 |   number_of_workers = 2
		382 |   default_arguments = {
		383 |     "--parquet_output_bucket_name"       = module.s3-dms-data-validation-bucket.bucket.id
		384 |     "--glue_catalog_db_name"             = aws_glue_catalog_database.dms_dv_glue_catalog_db.name
		385 |     "--glue_catalog_tbl_name"            = "glue_df_output"
		386 |     "--continuous-log-logGroup"          = aws_cloudwatch_log_group.dms_dv_cw_log_group.name
		387 |     "--enable-continuous-cloudwatch-log" = "true"
		388 |     "--enable-continuous-log-filter"     = "true"
		389 |     "--enable-metrics"                   = ""
		390 |   }
		391 |   command {
		392 |     python_version  = "3"
		393 |     script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py"
		394 |   }
		395 | 
		396 |   tags = merge(
		397 |     local.tags,
		398 |     {
		399 |       Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions",
		400 |     }
		401 |   )
		402 | 
		403 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:10-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		10 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v1" {
		11 |   name              = "dms-dv-rds-to-s3-parquet-v1"
		12 |   retention_in_days = 14
		13 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v1
	File: /dms_data_validation_glue_job_v2.tf:22-77
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:87-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		87 | resource "aws_cloudwatch_log_group" "dms_dv_rds_to_s3_parquet_v2" {
		88 |   name              = "dms-dv-rds-to-s3-parquet-v2"
		89 |   retention_in_days = 14
		90 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_rds_to_s3_parquet_v2
	File: /dms_data_validation_glue_job_v2.tf:99-154
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:157-160
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		157 | resource "aws_cloudwatch_log_group" "etl_rds_to_s3_parquet_partitionby_yyyy_mm" {
		158 |   name              = "etl-rds-to-s3-parquet-partitionby-yyyy-mm"
		159 |   retention_in_days = 14
		160 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:169-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:226-229
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		226 | resource "aws_cloudwatch_log_group" "etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm" {
		227 |   name              = "etl-dv-rds-to-s3-parquet-partitionby-yyyy-mm"
		228 |   retention_in_days = 14
		229 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_dv_rds_to_s3_parquet_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:238-304
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:307-310
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		307 | resource "aws_cloudwatch_log_group" "parquet_resize_or_partitionby_yyyy_mm_dd" {
		308 |   name              = "parquet-resize-or-partitionby-yyyy-mm-dd"
		309 |   retention_in_days = 14
		310 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.parquet_resize_or_partitionby_yyyy_mm_dd
	File: /dms_data_validation_glue_job_v2.tf:319-373
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:376-379
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		376 | resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" {
		377 |   name              = "etl-table-rows-hashvalue-to-parquet"
		378 |   retention_in_days = 14
		379 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_table_rows_hashvalue_to_parquet
	File: /dms_data_validation_glue_job_v2.tf:388-438
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:442-445
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		442 | resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" {
		443 |   name              = "dms-dv-on-rows-hashvalue"
		444 |   retention_in_days = 14
		445 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.dms_dv_on_rows_hashvalue
	File: /dms_data_validation_glue_job_v2.tf:454-505
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:509-512
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		509 | resource "aws_cloudwatch_log_group" "etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm" {
		510 |   name              = "etl-rds-tbl-hash-rows-to-s3-prq-partitionby-yyyy-mm"
		511 |   retention_in_days = 14
		512 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_tbl_hash_rows_to_s3_prq_partitionby_yyyy_mm
	File: /dms_data_validation_glue_job_v2.tf:521-576
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:578-581
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		578 | resource "aws_cloudwatch_log_group" "etl_rds_sqlserver_query_to_s3_parquet" {
		579 |   name              = "etl-rds-sqlserver-query-to-s3-parquet"
		580 |   retention_in_days = 14
		581 | }

Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_job.etl_rds_sqlserver_query_to_s3_parquet
	File: /dms_data_validation_glue_job_v2.tf:590-644
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated"
	FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler
	File: /dms_glue_crawler.tf:35-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration

		35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" {
		36 |   name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
		37 |   role          = aws_iam_role.dms_dv_glue_job_iam_role.arn
		38 |   database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
		39 |   description   = "Crawler to fetch database names"
		40 |   #   table_prefix  = "your_table_prefix"
		41 | 
		42 |   jdbc_target {
		43 |     connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name
		44 |     path            = "%"
		45 |   }
		46 |   tags = merge(
		47 |     local.tags,
		48 |     {
		49 |       Resource_Type = "RDS-SQLServer Glue-Crawler for DMS",
		50 |     }
		51 |   )
		52 | 
		53 |   # provisioner "local-exec" {
		54 |   #   command = "aws glue start-crawler --name ${self.name}"
		55 |   # }
		56 | }

Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_dms_replication_instance.dms_replication_instance
	File: /dms_replication_instance.tf:24-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk

		24 | resource "aws_dms_replication_instance" "dms_replication_instance" {
		25 |   allocated_storage          = var.dms_allocated_storage_gib
		26 |   apply_immediately          = true
		27 |   auto_minor_version_upgrade = true
		28 |   availability_zone          = var.dms_availability_zone
		29 |   engine_version             = var.dms_engine_version
		30 |   #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
		31 |   multi_az = false
		32 |   #   preferred_maintenance_window = "sun:10:30-sun:14:30"
		33 |   publicly_accessible         = false
		34 |   replication_instance_class  = var.dms_replication_instance_class
		35 |   replication_instance_id     = "dms-replication-instance-tf"
		36 |   replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
		37 | 
		38 |   tags = merge(
		39 |     local.tags,
		40 |     {
		41 |       Resource_Type = "DMS Replication Instance",
		42 |     }
		43 |   )
		44 | 
		45 |   vpc_security_group_ids = [
		46 |     aws_security_group.dms_ri_security_group.id,
		47 |   ]
		48 | 
		49 |   depends_on = [
		50 |     aws_iam_role.dms_vpc_role,
		51 |     aws_iam_role.dms_cloudwatch_logs_role,
		52 |     aws_iam_role.dms_endpoint_role
		53 |   ]
		54 | 
		55 | }

Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
	FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound
	File: /dms_security_groups.tf:105-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2

		105 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" {
		106 |   security_group_id = aws_security_group.glue_rds_conn_security_group.id
		107 | 
		108 |   referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id
		109 |   ip_protocol                  = "tcp"
		110 |   from_port                    = 0
		111 |   to_port                      = 65535
		112 |   description                  = "Required ports open for Glue-RDS-Connection"
		113 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document
	File: /glue_data.tf:103-118
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		103 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" {
		104 |   statement {
		105 |     effect = "Allow"
		106 |     actions = [
		107 |       "ec2:CreateNetworkInterface",
		108 |       "ec2:DescribeNetworkInterfaces",
		109 |       "ec2:DeleteNetworkInterface",
		110 |       "ec2:DescribeVpcEndpoints",
		111 |       "ec2:DescribeSubnets",
		112 |       "ec2:DescribeVpcAttribute",
		113 |       "ec2:DescribeRouteTables",
		114 |       "ec2:DescribeSecurityGroups"
		115 |     ]
		116 |     resources = ["*"]
		117 |   }
		118 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document
	File: /lambdas_iam.tf:292-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source
	File: /modules/dms/endpoints_rds_s3.tf:2-23
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296

		2  | resource "aws_dms_endpoint" "dms_rds_source" {
		3  | 
		4  |   #   certificate_arn             = ""
		5  |   database_name = var.database_name
		6  |   endpoint_id   = "rds-mssql-${replace(var.database_name, "_", "-")}-tf"
		7  |   endpoint_type = "source"
		8  |   engine_name   = "sqlserver"
		9  |   #   extra_connection_attributes = ""
		10 |   #   kms_key_arn                 = aws_db_instance.database_2022.kms_key_id
		11 |   password    = var.rds_db_instance_pasword
		12 |   port        = var.rds_db_instance_port
		13 |   server_name = var.rds_db_server_name
		14 |   ssl_mode    = "require"
		15 |   username    = var.rds_db_username
		16 | 
		17 |   tags = merge(
		18 |     var.local_tags,
		19 |     {
		20 |       Resource_Type = "DMS Source Endpoint - RDS MSSQL",
		21 |     },
		22 |   )
		23 | }

Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
	FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target
	File: /modules/dms/endpoints_rds_s3.tf:28-84
	Calling File: /dms_main.tf:1-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.athena_layer.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:5-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.step_function_base_permissions
	File: /modules/step_function/main.tf:44-73
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		44 | data "aws_iam_policy_document" "step_function_base_permissions" {
		45 |   statement {
		46 |     effect    = "Allow"
		47 |     actions   = ["sns:Publish", "sqs:SendMessage"]
		48 |     resources = ["*"]
		49 |   }
		50 |   statement {
		51 |     effect    = "Allow"
		52 |     actions   = ["kms:GenerateDataKey", "kms:Decrypt"]
		53 |     resources = [aws_kms_key.this_log_key.arn]
		54 |   }
		55 |   statement {
		56 |     effect = "Allow"
		57 |     actions = [
		58 |       "logs:CreateLogDelivery",
		59 |       "logs:CreateLogStream",
		60 |       "logs:GetLogDelivery",
		61 |       "logs:UpdateLogDelivery",
		62 |       "logs:DeleteLogDelivery",
		63 |       "logs:ListLogDeliveries",
		64 |       "logs:PutResourcePolicy",
		65 |       "logs:DescribeResourcePolicies",
		66 |       "logs:DescribeLogGroups",
		67 |       "logs:PutDestination",
		68 |       "logs:PutDestinationPolicy",
		69 |       "logs:PutLogEvents"
		70 |     ]
		71 |     resources = ["*"]
		72 |   }
		73 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.get_zipped_file_api.aws_iam_policy_document.this_log_key_document
	File: /modules/step_function/main.tf:81-108
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		81  | data "aws_iam_policy_document" "this_log_key_document" {
		82  |   statement {
		83  |     sid    = "EnableIAMUserPermissions"
		84  |     effect = "Allow"
		85  |     principals {
		86  |       type        = "AWS"
		87  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		88  |     }
		89  |     actions   = ["kms:*"]
		90  |     resources = ["*"]
		91  |   }
		92  | 
		93  |   statement {
		94  |     sid    = "EnableLogServicePermissions"
		95  |     effect = "Allow"
		96  |     principals {
		97  |       type        = "Service"
		98  |       identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		99  |     }
		100 |     actions = [
		101 |       "kms:Encrypt",
		102 |       "kms:Decrypt",
		103 |       "kms:GenerateDataKey",
		104 |       "kms:DescribeKey"
		105 |     ]
		106 |     resources = ["*"]
		107 |   }
		108 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: module.get_zipped_file_api.aws_sfn_state_machine.this
	File: /modules/step_function/main.tf:4-14
	Calling File: /step_functions_main.tf:19-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		4  | resource "aws_sfn_state_machine" "this" {
		5  |   name       = var.name
		6  |   role_arn   = aws_iam_role.step_function_role.arn
		7  |   definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary)
		8  |   type       = var.type
		9  |   logging_configuration {
		10 |     log_destination        = "${aws_cloudwatch_log_group.this_log_group.arn}:*"
		11 |     include_execution_data = true
		12 |     level                  = "ALL"
		13 |   }
		14 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_glue_connection
	File: /lambdas_secrets.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "db_glue_connection" {
		2 |   name = "db_glue_connection"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.db_password
	File: /server_backups.tf:4-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		4 | resource "aws_secretsmanager_secret" "db_password" {
		5 |   name = "db_password"
		6 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.database_2022
	File: /server_backups.tf:21-56
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		21 | resource "aws_db_instance" "database_2022" {
		22 |   #   count = local.is-production ? 1 : 0
		23 | 
		24 |   identifier    = "database-v2022"
		25 |   license_model = "license-included"
		26 |   username      = "admin"
		27 |   password      = aws_secretsmanager_secret_version.db_password.secret_string
		28 | 
		29 |   engine         = "sqlserver-se"
		30 |   engine_version = "16.00.4105.2.v1"
		31 |   instance_class = "db.m5.large"
		32 | 
		33 |   storage_type          = "gp2"
		34 |   allocated_storage     = 2100
		35 |   max_allocated_storage = 2500
		36 |   storage_encrypted     = true
		37 | 
		38 |   multi_az = false
		39 | 
		40 |   db_subnet_group_name   = aws_db_subnet_group.db.id
		41 |   vpc_security_group_ids = [aws_security_group.db.id]
		42 |   port                   = 1433
		43 | 
		44 |   auto_minor_version_upgrade = true
		45 |   skip_final_snapshot        = true
		46 |   maintenance_window         = "Mon:00:00-Mon:03:00"
		47 |   deletion_protection        = false
		48 | 
		49 |   option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name
		50 | 
		51 |   iam_database_authentication_enabled = false
		52 | 
		53 |   apply_immediately = true
		54 | 
		55 |   tags = local.tags
		56 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.glue_rds_conn_security_group
	File: /dms_security_groups.tf:81-92
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		81 | resource "aws_security_group" "glue_rds_conn_security_group" {
		82 |   name        = "glue-rds-sqlserver-connection-tf"
		83 |   description = "Secuity Group for Glue-RDS-Connection"
		84 |   vpc_id      = data.aws_vpc.shared.id
		85 | 
		86 |   tags = merge(
		87 |     local.tags,
		88 |     {
		89 |       Resource_Type = "Secuity Group for Glue-RDS-Connection",
		90 |     }
		91 |   )
		92 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this
	File: /modules/landing_zone/server_security_group/main.tf:7-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		7  | resource "aws_security_group" "this" {
		8  |   name        = "${var.supplier}-${var.user_name}-inbound-ips"
		9  |   description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server"
		10 |   vpc_id      = var.vpc_id
		11 | 
		12 |   lifecycle {
		13 |     create_before_destroy = true
		14 |   }
		15 | 
		16 |   tags = merge(
		17 |     var.local_tags,
		18 |     {
		19 |       supplier = var.user_name,
		20 |     },
		21 |   )
		22 | }

dockerfile scan results:

Passed checks: 21, Failed checks: 2, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /lambdas/update_log_table/Dockerfile.
	File: /lambdas/update_log_table/Dockerfile:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1 | FROM public.ecr.aws/lambda/python:3.11
		2 | 
		3 | COPY requirements.txt .
		4 | 
		5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}"
		6 | 
		7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT}
		8 | 
		9 | CMD ["update_log_table.handler"]

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/data_store.tf line 151:
 151: data "archive_file" "summarise_zip_lambda" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: `s3_pylib_dir_path` variable has no type (terraform_typed_variables)

  on terraform/environments/electronic-monitoring-data/glue_variables.tf line 1:
   1: variable "s3_pylib_dir_path" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_typed_variables.md

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/electronic-monitoring-data/server_backups.tf line 13:
  13: resource "random_password" "random_password" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Trivy in terraform/environments/electronic-monitoring-data
2024-12-02T17:05:35Z	INFO	[vulndb] Need to update DB
2024-12-02T17:05:35Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-02T17:05:35Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-02T17:05:37Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-02T17:05:37Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-02T17:05:37Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-02T17:05:37Z	INFO	[misconfig] Need to update the built-in checks
2024-12-02T17:05:37Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-02T17:05:37Z	INFO	[secret] Secret scanning is enabled
2024-12-02T17:05:37Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-02T17:05:37Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-12-02T17:05:38Z	WARN	[pip] Unable to find python `site-packages` directory. License detection is skipped.	err="site-packages directory not found"
2024-12-02T17:05:39Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-02T17:05:39Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_metadata_from_rds_lambda.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.query_output_to_list.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.rds_bastion.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.output_file_structure_as_json_from_zip.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.create_athena_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:41Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.get_file_keys_for_table.aws_lambda_function.this" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this.dynamic.vpc_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="s3.tf:1121-1140"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-bucket-encryption" range="s3.tf:1121-1140"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="s3.tf:1121-1140"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-logging" range="s3.tf:1121-1140"
2024-12-02T17:05:48Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="analytical_platform_share.tf:50-68"
2024-12-02T17:05:48Z	INFO	Number of language-specific files	num=1
2024-12-02T17:05:48Z	INFO	[pip] Detecting vulnerabilities...
2024-12-02T17:05:48Z	INFO	Detected config files	num=17

lambdas/update_log_table/Dockerfile (dockerfile)
================================================
Tests: 21 (SUCCESSES: 20, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


trivy_exitcode=1

pricemg
pricemg commented Dec 3, 2024
View reviewed changes
Copy link
Contributor Author

@pricemg pricemg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm 👍

@JazJax JazJax had a problem deploying to electronic-monitoring-data-development December 3, 2024 09:27 — with GitHub Actions Failure
@JazJax JazJax had a problem deploying to electronic-monitoring-data-test December 3, 2024 09:27 — with GitHub Actions Failure
matt-heery
matt-heery approved these changes Dec 3, 2024
View reviewed changes
Copy link
Contributor

@matt-heery matt-heery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm - someone needs to fully delete the db glue secrets tho :'(

@JazJax JazJax temporarily deployed to electronic-monitoring-data-development December 3, 2024 10:22 — with GitHub Actions Inactive
@pricemg pricemg merged commit d988b97 into main Dec 3, 2024
14 of 16 checks passed
@pricemg pricemg deleted the front_end_role branch December 3, 2024 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JazJax JazJax JazJax left review comments

@matt-heery matt-heery matt-heery approved these changes

@luke-a-williams luke-a-williams luke-a-williams left review comments

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pricemg @luke-a-williams @JazJax @matt-heery